This is the start of the stable review cycle for the 3.16.60 release. There are 366 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Fri Oct 19 17:00:00 UTC 2018. Anything received after that time might be too late.
All the patches have also been committed to the linux-3.16.y-rc branch of https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git . A shortlog and diffstat can be found below.
Ben.
-------------
Aaron Ma (2): HID: core: Fix size as type u32 [6de0b13cc0b4ba10e98a9263d7a83b940720b77a] HID: i2c-hid: fix size check and type usage [ac75a041048b8c1f7418e27621ca5efda8571043]
Al Viro (12): Don't leak MNT_INTERNAL away from internal mounts [16a34adb9392b2fe4195267475ab5b472e55292c] affs_lookup(): close a race with affs_remove_link() [30da870ce4a4e007c901858a96e9e394a1daa74a] aio: fix io_destroy(2) vs. lookup_ioctx() race [baf10564fbb66ea222cae66fbff11c444590ffd9] do d_instantiate/unlock_new_inode combinations safely [1e2e547a93a00ebc21582c06ca3c6cfea2a309ee] ext2: fix a block leak [5aa1437d2d9a068c0334bd7c9dafa8ec4f97f13b] fix io_destroy()/aio_complete() race [4faa99965e027cc057c5145ce45fa772caa04e8d] hypfs_kill_super(): deal with failed allocations [a24cd490739586a7d2da3549a1844e1d7c4f4fc4] jffs2_kill_sb(): deal with failed allocations [c66b23c2840446a82c389e4cb1a12eb2a71fa2e4] rpc_pipefs: fix double-dput() [4a3877c4cedd95543f8726b0a98743ed8db0c0fb] udf: fix the udf_iget() vs. udf_new_inode() races [b231509616feb911c2a7a8814d58c0014ef5b17f] udf: merge the pieces inserting a new non-directory object into directory [d2be51cb34dc501791f3b8c01a99a3f2064bd8d1] ufs: deal with nfsd/iget races [e4502c63f56aeca887ced37f24e0def1ef11cec8]
Alan Cox (1): tty: handle the case where we cannot restore a line discipline [8a8dabf2dd68caff842d38057097c23bc514ea6e]
Alan Stern (1): USB: Accept bulk endpoints with 1024-byte maxpacket [fb5ee84ea72c5f1b6cabdd1c9d6e8648995ca7c6]
Alex Smith (1): mmc: jz4740: Fix race condition in IRQ mask update [a04f0017c22453613d5f423326b190c61e3b4f98]
Alexander Gerasiov (1): parport_pc: Add support for WCH CH382L PCI-E single parallel port card. [823f7923833c6cc2b16e601546d607dcfb368004]
Alexey Khoroshilov (2): vmxnet3: avoid assumption about invalid dma_pa in vmxnet3_set_mc() [fb5c6cfaec126d9a96b9dd471d4711bf4c737a6f] vmxnet3: fix checks for dma mapping errors [5738a09d58d5ad2871f1f9a42bf6a3aa9ece5b3c]
Amir Goldstein (1): fanotify: fix logic of events on child [54a307ba8d3cd00a3902337ffaae28f436eeb1a4]
Andrew Morton (1): fs/reiserfs/journal.c: add missing resierfs_warning() arg [9ad553abe66f8be3f4755e9fa0a6ba137ce76341]
Andrey Ignatov (1): ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg [1b97013bfb11d66f041de691de6f0fec748ce016]
Andy King (1): VMXNET3: Check for map error in vmxnet3_set_mc [4ad9a64f53c619969dede1143d56ccda1a453c39]
Aneesh Kumar K.V (1): powerpc/mm/hugetlb: initialize the pagetable cache correctly for hugetlb [6fa504835d6969144b2bd3699684dd447c789ba2]
Ard Biesheuvel (1): efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition for mixed mode [0b3225ab9407f557a8e20f23f37aa7236c10a9b1]
Arnaldo Carvalho de Melo (1): perf top: Document --ignore-vmlinux [a8403912d04e2c8271653bb5b7f6294dc6d322ac]
Arnd Bergmann (1): media: s3c-camif: fix out-of-bounds array access [a398e043637a4819a0e96467bfecaabf3224dd62]
Bai Ping (1): thermal: imx: register irq handler later in probe [84866ee5818e95f6e97194656777c10ac24cb9d3]
Bart Van Assche (1): IB/srp: Fix srp_abort() [e68088e78d82920632eba112b968e49d588d02a2]
Ben Hutchings (4): ALSA: timer: Fix pause event notification [3ae180972564846e6d794e3615e1ab0a1e6c4ef9] drm/msm: Fix possible null dereference on failure of get_pages() [3976626ea3d2011f8fd3f3a47070a8b792018253] ppp: Fix null pointer dereference on registration failure [96d934c70db6e1bc135600c57da1285eaf7efb26] scsi: qla2xxx: Avoid double completion of abort command [3a9910d7b686546dcc9986e790af17e148f1c888]
Bharat Potnuri (1): iw_cxgb4: Atomically flush per QP HW CQEs [2df19e19ae90d94fd8724083f161f368a2797537]
Bin Liu (1): usb: musb: host: fix potential NULL pointer dereference [2b63f1329df2cd814c1f8353fae4853ace6521d1]
Bjorn Helgaas (1): drm/radeon: make MacBook Pro d3_delay quirk more generic [5938628c51a711ae2169d68b2e3a4f7d93d4dbea]
Bjørn Mork (1): qmi_wwan: do not steal interfaces from class drivers [5697db4a696c41601a1d15c1922150b4dbf5726c]
Brad Volkin (1): drm/i915: Log a message when rejecting LRM to OACONTROL [00caf0199f66871b0e2c28d7c2079de0ce1d646c]
Bryan O'Donoghue (1): rtc: snvs: Fix usage of snvs_rtc_enable [1485991c024603b2fb4ae77beb7a0d741128a48e]
Chao Yu (2): f2fs: reposition unlock_new_inode to prevent accessing invalid inode [b73e52824c8920a5ff754e3c8ff68466a7dd61f9] udf: avoid unneeded up_write when fail to add entry in ->symlink [85cd083b498572fb9fa575cce3ed910c8ee84294]
Charles Keepax (2): regmap: Correct offset handling in regmap_volatile_range [b8f9a03b741ddfdde4aa8b607fa7d88eb63a6338] regmap: Don't use format_val in regmap_bulk_read [9ae27a8d1f3ebff09191fb8cb1341414547293b2]
Chris Mason (1): Btrfs: use insert_inode_locked4 for inode creation [b0d5d10f41a0f1cd839408dd94427f2db3553bca]
Chris Metcalf (3): Make asm/word-at-a-time.h available on all architectures [a6e2f029ae34f41adb6ae3812c32c5d326e1abd2] string: provide strscpy() [30035e45753b708e7d47a98398500ca005e02b86] word-at-a-time.h: fix some Kbuild files [19c22f3a29fa8669c477f20a65f6c7c27108972a]
Clemens Werther (1): USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator [6555ad13a01952c16485c82a52ad1f3e07e34b3a]
Colin Ian King (5): KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable" [ba3696e94d9d590d9a7e55f68e81c25dba515191] RDMA/iwpm: fix memory leak on map_info [f96416cea7bce9afe619c15e87fced70f93f9098] media: cx25821: prevent out-of-bounds read on array card [67300abdbe9f1717532aaf4e037222762716d0f6] rtc: tx4939: avoid unintended sign extension on a 24 bit shift [347876ad47b9923ce26e686173bbf46581802ffa] staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr [e1a7418529e33bc4efc346324557251a16a3e79b]
Collin May (1): USB: serial: simple: add libtransistor console [fe710508b6ba9d28730f3021fed70e7043433b2e]
Cong Wang (2): llc: fix NULL pointer deref for SOCK_ZAPPED [3a04ce7130a7e5dad4e78d45d50313747f8c830f] llc: hold llc_sap before release_sock() [f7e43672683b097bb074a8fe7af9bc600a23f231]
Dan Carpenter (2): net: ethernet: davinci_emac: fix error handling in probe() [8005b09d99fac78e6f5fb9da30b5ae94840af03b] xen/acpi: off by one in read_acpi_id() [c37a3c94775855567b90f91775b9691e10bd2806]
Daniel Borkmann (1): bpf, x64: fix memleak when not converging after image [3aab8884c9eb99189a3569ac4e6b205371c9ac0b]
Danilo Krummrich (1): fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl table [a0b0d1c345d0317efe594df268feb5ccc99f651e]
Danit Goldberg (1): IB/mlx5: Use unlimited rate when static rate is not supported [4f32ac2e452c2180cd2df581cbadac183e27ecd0]
Dave Airlie (1): drm: set FMODE_UNSIGNED_OFFSET for drm files [76ef6b28ea4f81c3d511866a9b31392caa833126]
David Henningsson (1): ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr [f853dcaae2f5bbe021161e421bd1576845bae8f6]
David Howells (1): afs: Fix directory permissions check [378831e4daec75fbba6d3612bcf3b4dd00ddbf08]
David Lechner (1): pinctrl: pinctrl-single: Fix pcs_request_gpio() when bits_per_mux != 0 [45dcb54f014d3d1f5cc3919b5f0c97087d7cb3dd]
Davidlohr Bueso (5): Revert "ipc/shm: Fix shmat mmap nil-page protection" [a73ab244f0dad8fffb3291b905f73e2d3eaa7c00] ipc,shm: move BUG_ON check into shm_lock [c5c8975b2eb4eb7604e8ce4f762987f56d2a96a2] ipc/sem: make semctl setting sempid consistent [a5f4db877177d2a3d7ae62a7bac3a5a27e083d7f] ipc/shm: fix shmat() nil address after round-down when remapping [8f89c007b6dec16a1793cb88de88fcc02117bbbc] ipc: convert invalid scenarios to use WARN_ON [d0edd8528362c07216498340e928159510595e7b]
Dennis Wassenberg (1): Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list [b56af54ac78c54a519d82813836f305d7f76ef27]
Dexuan Cui (1): tick/broadcast: Use for_each_cpu() specially on UP kernels [5596fe34495cf0f645f417eb928ef224df3e3cb4]
Dmitry Safonov (1): tracing/uprobe: Drop isdigit() check in create_trace_uprobe [5ba8a4a96f6eaa6af88e24c7794f142217aa3b6f]
Dou Liyang (1): x86/acpi: Prevent X2APIC id 0xffffffff from being accounted [10daf10ab154e31237a8c07242be3063fb6a9bf4]
Eliot Blennerhassett (1): ALSA: asihpi: used parts of message/response are zeroed before use [51e6f47dd2e3463dac6f37128fd7b7cb40c500de]
Eric Biggers (5): KEYS: DNS: limit the length of option strings [9c438d7a3a52dcc2b9ed095cb87d3a5e83cf7e60] crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one [8f461b1e02ed546fbd0f11611138da67fd85a30f] ext4: correctly detect when an xattr value has an invalid size [d7614cc16146e3f0b4c33e71875c19607602aed5] ipc/shm: fix use-after-free of shm file via remap_file_pages() [3f05317d9889ab75c7190dcd39491d2a97921984] ppp: remove the PPPIOCDETACH ioctl [af8d3c7c001ae7df1ed2b2715f058113efc86187]
Eric Dumazet (21): crypto: af_alg - fix possible uninit-value in alg_bind() [a466856e0b7ab269cdf9461886d007e88ff575b0] dccp: fix tasklet usage [a8d7aa17bbc970971ccdf71988ea19230ab368b1] ip6_gre: better validate user provided tunnel names [5f42df013b8bc1b6511af7a04bf93b014884ae2a] ip6_tunnel: better validate user provided tunnel names [db7a65e3ab78e5b1c4b17c0870ebee35a4ee3257] ip_tunnel: better validate user provided tunnel names [9cb726a212a82c88c98aa9f0037fd04777cd8fe5] ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy [aa8f8778493c85fff480cdf8b349b1e1dcb5f243] ipv6: sit: better validate user provided tunnel names [b95211e066fc3494b7c115060b2297b4ba21f025] llc: better deal with too small mtu [2c5d5b13c6eb79f5677e206b8aad59b3a2097f60] net: af_packet: fix race in PACKET_{R|T}X_RING [5171b37d959641bbc619781caf62e61f7b940871] net: fix rtnh_ok() [b1993a2de12c9e75c35729e2ffbc3a92d50c0d31] net: fix uninit-value in __hw_addr_add_ex() [77d36398d99f2565c0a8d43a86fd520a82e64bb8] net: initialize skb->peeked when cloning [b13dda9f9aa7caceeee61c080c2e544d5f5d85e5] net_sched: fq: take care of throttled flows before reuse [7df40c2673a1307c3260aab6f9d4b9bf97ca8fd7] netlink: fix uninit-value in netlink_sendmsg [6091f09c2f79730d895149bcfe3d66140288cd0e] sctp: do not leak kernel memory to user space [6780db244d6b1537d139dea0ec8aad10cf9e4adb] soreuseport: initialise timewait reuseport field [3099a52918937ab86ec47038ad80d377ba16c531] tcp: fix TCP_REPAIR_QUEUE bound checking [bf2acc943a45d2b2e8a9f1a5ddff6b6e43cc69d9] tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets [7212303268918b9a203aebeacfdbd83b5e87b20d] tcp: purge write queue in tcp_connect_init() [7f582b248d0a86bae5788c548d7bb5bca6f7691a] vti6: better validate user provided tunnel names [537b361fbcbcc3cd6fe2bb47069fd292b9256d16] xfrm6: avoid potential infinite loop in _decode_session6() [d9f92772e8ec388d070752ee8f187ef8fa18621f]
Eric W. Biederman (4): ipc/msg: Fix msgctl(..., IPC_STAT, ...) between pid namespaces [39a4940eaa185910bb802ca9829c12268fd2c855] ipc/sem: Fix semctl(..., GETPID, ...) between pid namespaces [51d6f2635b39709ee5e62479be23d423b760292c] ipc/shm: Fix shmctl(..., IPC_STAT, ...) between pid namespaces. [98f929b1bd4d0b7c7a77d0d9776d1b924db2e454] ipc/util: Helpers for making the sysvipc operations pid namespace aware [03f1fc09180b345582889a344b012d069b3a6dbe]
Eryu Guan (1): ext4: protect i_disksize update by i_data_sem in direct write path [73fdad00b208b139cf43f3163fbc0f67e4c6047c]
Fabián Inostroza (1): ALSA: line6: Use correct endpoint type for midi output [7ecb46e9ee9af18e304eb9e7d6804c59a408e846]
Federico Cuello (1): ALSA: usb: mixer: volume quirk for CM102-A+/102S+ [21493316a3c4598f308d5a9fa31cc74639c4caff]
Filipe Manana (3): Btrfs: don't leave dangling dentry if symlink creation failed [d50866d00fb39fcf72307001763ee9cc92625a43] Btrfs: ensure tmpfile inode is always persisted with link count of 0 [5762b5c958abbecb7fb9f4596a6476d1ce91ecf6] Btrfs: fix copy_items() return value when logging an inode [8434ec46c6e3232cebc25a910363b29f5c617820]
Florent Flament (1): drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log [280b54ade5914d3b4abe4f0ebe083ddbd4603246]
Florian Fainelli (2): net: bcmgenet: Fix sparse warnings in bcmgenet_put_tx_csum() [6f89421180f15867dc1472d9edf68f82b0ed5ee6] net: systemport: Fix sparse warnings in bcm_sysport_insert_tsb() [c0eb05585d4184596453622b5abba7d13dd20667]
Florian Westphal (1): netfilter: nf_tables: can't fail after linking rule into active rule list [569ccae68b38654f04b6842b034aa33857f605fe]
Francisco Jerez (1): drm/i915: Fix command parser to validate multiple register access with the same command. [6a65c5b9326c9dd391afb1b3df75cbedffbaccdb]
Geert Uytterhoeven (6): serial: arc_uart: Fix out-of-bounds access through DT alias [f9f5786987e81d166c60833edcb7d1836aa16944] serial: fsl_lpuart: Fix out-of-bounds access through DT alias [ffab87fdecc655cc676f8be8dd1a2c5e22bd6d47] serial: imx: Fix out-of-bounds access through serial port index [5673444821406dda5fc25e4b52aca419f8065a19] serial: mxs-auart: Fix out-of-bounds access through serial port index [dd345a31bfdec350d2593e6de5964e55c7f19c76] serial: pxa: Fix out-of-bounds access through serial port index [afc7851fab8329eddcf321c9e0a58c893f351dd6] serial: xuartps: Fix out-of-bounds access through DT alias [e7d75e18d0fc3f7193b65282b651f980c778d935]
Govindarajulu Varadarajan (1): enic: set DMA mask to 47 bit [322eaa06d55ebc1402a4a8d140945cff536638b4]
Greg Kroah-Hartman (1): USB: serial: visor: handle potential invalid device configuration [4842ed5bfcb9daf6660537d70503c18d38dbdbb8]
Guenter Roeck (4): hwmon: (nct6683) Enable EC access if disabled at boot [dbac00f0cf634120d77edee10d25e3f6899d7636] hwmon: (nct6775) Fix writing pwmX_mode [415eb2a1aaa4881cf85bd86c683356fdd8094a23] hwmon: (pmbus/adm1275) Accept negative page register values [ecb29abd4cb0670c616fb563a078f25d777ce530] hwmon: (pmbus/max8688) Accept negative page register values [a46f8cd696624ef757be0311eb28f119c36778e8]
Guillaume Nault (12): l2tp: check sockaddr length in pppol2tp_connect() [eb1c28c05894a4b1f6b56c5bf072205e64cfa280] l2tp: fix race in duplicate tunnel detection [f6cd651b056ffd3b4e8496afd44d4ed44bf69136] l2tp: fix races in tunnel creation [6b9f34239b00e6956a267abed2bc559ede556ad6] l2tp: fix {pppol2tp, l2tp_dfs}_seq_stop() in case of seq_file overflow [5411b6187adf62909e3b998ac782e722904c7487] l2tp: hold reference on tunnels in netlink dumps [5846c131c39b6d0add36ec19dc8650700690f930] l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file [f726214d9b23e5fce8c11937577a289a3202498f] l2tp: hold reference on tunnels printed in pppol2tp proc file [0e0c3fee3a59a387aeecc4fca6f3a2e9615a5443] ppp: fix device unregistration upon netns deletion [8cb775bc0a34dc596837e7da03fd22c747be618b] ppp: fix lockdep splat in ppp_dev_uninit() [58a89ecaca53736aa465170530acea4f8be34ab4] ppp: fix race in ppp device destruction [6151b8b37b119e8e3a8401b080d532520c95faf4] ppp: unlock all_ppp_mutex before registering device [0171c41835591e9aa2e384b703ef9a6ae367c610] pppoe: check sockaddr length in pppoe_connect() [a49e2f5d5fb141884452ddb428f551b123d436b5]
Gustavo A. R. Silva (3): atm: zatm: Fix potential Spectre v1 [2be147f7459db5bbf292e0a6f135037b55e20b39] kernel/sys.c: fix potential Spectre v1 issue [23d6aef74da86a33fa6bb75f79565e0a16ee97c2] net: atm: Fix potential Spectre v1 [acf784bd0ce257fe43da7ca266f7a10b837479d2]
Hans de Goede (1): libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs [184add2ca23ce5edcac0ab9c3b9be13f91e7b567]
Heinrich Schuchardt (1): usb: musb: gadget: misplaced out of bounds check [af6f8529098aeb0e56a68671b450cf74e7a64fcd]
Helge Deller (2): parisc: Fix HPMC handler by increasing size to multiple of 16 bytes [d5654e156bc4d68a87bbaa6d7e020baceddf6e68] parisc: Fix out of array access in match_pci_device() [615b2665fd20c327b631ff1e79426775de748094]
Hendrik Brueckner (1): s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero [4bbaf2584b86b0772413edeac22ff448f36351b1]
Herbert Xu (1): crypto: ahash - Fix early termination in hash walk [900a081f6912a8985dc15380ec912752cb66025a]
Himanshu.Madhani@Cavium.Com (1): scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS [1514839b366417934e2f1328edb50ed1e8a719f5]
Hpreg@Vmware.Com (1): vmxnet3: set the DMA mask before the first DMA map operation [61aeecea40afb2b89933e27cd4adb10fc2e75cfd]
Huacai Chen (1): zboot: fix stack protector in compressed boot phase [7bbaf27d9c83037b6e60a818e57bdbedf6bc15be]
Ian Kent (1): autofs: mount point create should honour passed in mode [1e6306652ba18723015d1b4967fe9de55f042499]
Igor Pylypiv (1): watchdog: f71808e_wdt: Fix WD_EN register read [977f6f68331f94bb72ad84ee96b7b87ce737d89d]
Ilya Dryomov (1): libceph: validate con->state at the top of try_write() [9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7]
Ivan Khoronzhuk (1): net: ethernet: ti: cpdma: correct error handling for chan create [8a83c5d7969b8433584e3cf658a8d76c4dc37f4d]
Jack Morgenstein (1): net/mlx4: Fix irq-unsafe spinlock usage [d546b67cda015fb92bfee93d5dc0ceadb91deaee]
Jaegeuk Kim (2): f2fs: call f2fs_unlock_op after error was handled [44c16156512f33c81e382a1e1df9524e26a7026a] f2fs: go out for insert_inode_locked failure [a21c20f0c812925085204fced932ac95f2a76bf0]
James Kelly (1): ASoC: ssm2602: Replace reg_default_raw with reg_default [a01df75ce737951ad13a08d101306e88c3f57cb2]
Jan Kara (3): bdi: Fix oops in wb_workfn() [b8b784958eccbf8f51ebeee65282ca3fd59ea391] ufs: Fix possible deadlock when looking up directories [514d748f69c97a51a2645eb198ac5c6218f22ff9] ufs: Fix warning from unlock_new_inode() [12ecbb4b1d765a5076920999298d9625439dbe58]
Jann Horn (1): tcp: don't read out-of-bounds opsize [7e5a206ab686f098367b61aca989f5cdfa8114a3]
Jason Andryuk (1): HID: i2c-hid: Fix "incomplete report" noise [ef6eaf27274c0351f7059163918f3795da13199c]
Jeff Moyer (1): block_invalidatepage(): only release page if the full page was invalidated [3172485f4f8032649c144e4aafa550e1e6179332]
Jens Remus (1): scsi: zfcp: fix infinite iteration on ERP ready list [fa89adba1941e4f3b213399b81732a5c12fd9131]
Jerome Brunet (1): clk: fix mux clock documentation [fe3f338f0cb2ed4d4f06da054c21ae2f8a36ef2d]
Jimmy Assarsson (1): can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() [6ee00865ffe4e8c8ba4a68d26db53c7ec09bbb89]
Jiri Olsa (1): perf record: Put new line after target override warning [c3dec27b7f70a9ad5f777d943d51ecdfcd9824d0]
Joakim Tjernlund (3): mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block. [6510bbc88e3258631831ade49033537081950605] mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug. [46a16a2283f9e678a4e26829175e0c37a5191860] mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block. [7b70eb14392a7cf505f9b358d06c33b5af73d1e7]
Joe Jin (1): xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent [4855c92dbb7b3b85c23e88ab7ca04f99b9677b41]
Joerg Roedel (1): x86/mm: Prevent kernel Oops in PTDUMP code with HIGHPTE=y [d6ef1f194b7569af8b8397876dc9ab07649d63cb]
Johan Hovold (2): USB: serial: cp210x: add ELDAT Easywave RX09 id [1f1e82f74c0947e40144688c9e36abe4b3999f49] rfkill: gpio: fix memory leak in probe error path [4bf01ca21e2e0e4561d1a03c48c3d740418702db]
Jonathan Neuschäfer (1): net: core: dst: Add kernel-doc for 'net' parameter [8eb1a8590f5ca114fabf16ebb26a4bce0255ace9]
Julian Anastasov (3): ipv4: fix fnhe usage by non-cached routes [94720e3aee6884d8c8beb678001629da60ec6366] ipvs: fix buffer overflow with sync daemon and service [52f96757905bbf0edef47f3ee6c7c784e7f8ff8a] ipvs: fix stats update from local clients [d5e032fc5697b6c0d6b4958bcacb981a08f8174e]
Julian Wiedmann (5): s390/qdio: don't merge ERROR output buffers [0cf1e05157b9e5530dcc3ca9fec9bf617fc93375] s390/qdio: don't release memory in qdio_setup_irq() [2e68adcd2fb21b7188ba449f0fab3bee2910e500] s390/qdio: don't retry EQBS after CCQ 96 [dae55b6fef58530c13df074bcc182c096609339e] s390/qdio: fix access to uninitialized qdio_q fields [e521813468f786271a87e78e8644243bead48fad] s390/qeth: handle failure on workqueue creation [a936b1ef37ce1e996533878f4b23944f9444dcdf]
Kai-Heng Feng (2): sky2: Increase D3 delay to sky2 stops working after suspend [afb133637071be6deeb8b3d0e55593ffbf63c527] xhci: Fix USB ports for Dell Inspiron 5775 [621faf4f6a181b6e012c1d1865213f36f4159b7f]
Kamil Lulko (1): usb: core: Add quirk for HP v222w 16GB Mini [3180dabe08e3653bf0a838553905d88f3773f29c]
Kenny Yu (1): uprobe: Find last occurrence of ':' when parsing uprobe PATH:OFFSET [6496bb72bf20c1c7e4d6be44dfa663163e709116]
Kirill A. Shutemov (1): ipc/shm: handle removed segments gracefully in shm_mmap() [1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e]
Krzysztof Mazur (1): um: Use POSIX ucontext_t instead of struct ucontext [4d1a535b8ec5e74b42dfd9dc809142653b2597f6]
Kyle Roeschley (1): USB: serial: cp210x: add ID for NI USB serial console [1e23aace21515a8f7615a1de016c0ea8d4e0cc6e]
Lance Richardson (1): net: support compat 64-bit time in {s,g}etsockopt [988bf7243e03ef69238381594e0334a79cef74a6]
Leon Romanovsky (1): RDMA/mlx5: Protect from shift operand overflow [002bf2282b2d7318e444dca9ffcb994afc5d5f15]
Leonard Crestez (1): crypto: arm,arm64 - Fix random regeneration of S_shipped [6aaf49b495b446ff6eec0ac983f781ca0dc56a73]
Li RongQing (1): x86/apic: Fix signedness bug in APIC ID validity checks [a774635db5c430cbf21fa5d2f2df3d23aaa8e782]
Linus Lüssing (1): batman-adv: Fix TT sync flags for intermediate TT responses [7072337e52b3e9d5460500d8dc9cbc1ba2db084c]
Linus Torvalds (3): give up on gcc ilog2() constant optimizations [474c90156c8dcc2fa815e6716cc9394d7930cb9c] mmap: introduce sane default mmap limits [be83bbf806822b1b89e0a0f23cd87cddc409e429] mmap: relax file size limit for regular files [423913ad4ae5b3e8fb8983f70969fb522261ba26]
Liu Bo (3): Btrfs: bail out on error during replay_dir_deletes [b98def7ca6e152ee55e36863dddf6f41f12d1dc6] Btrfs: fix NULL pointer dereference in log_dir_items [80c0b4210a963e31529e15bf90519708ec947596] Btrfs: fix unexpected cow in run_delalloc_nocow [5811375325420052fcadd944792a416a43072b7f]
Long Li (1): cifs: Allocate validate negotiation request through kmalloc [2796d303e3c5ec213c578ed3a66872205c126eb8]
Maciej W. Rozycki (3): MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs [9a3a92ccfe3620743d4ae57c987dc8e9c5f88996] MIPS: ptrace: Expose FIR register through FP regset [71e909c0cdad28a1df1fa14442929e68615dee45] MIPS: ptrace: Fix PTRACE_PEEKUSR requests for 64-bit FGRs [c7e814628df65f424fe197dde73bfc67e4a244d7]
Mahesh Rajashekhara (1): scsi: sd: Defer spinning up drive while SANITIZE is in progress [505aa4b6a8834a2300971c5220c380c3271ebde3]
Major Hayden (1): USB: serial: ftdi_sio: add RT Systems VX-8 cable [9608e5c0f079390473b484ef92334dfd3431bb89]
Marc Dionne (1): afs: Ignore AFS_ACE_READ and AFS_ACE_WRITE for directories [fd2498211a551fd42b2d6b9050d649d43536e75c]
Marc Zyngier (1): KVM: arm/arm64: Close VMID generation race [f0cf47d939d0b4b4f660c5aaa4276fa3488f3391]
Marek Lindner (1): batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs [16116dac23396e73c01eeee97b102e4833a4b205]
Mark Brown (1): regmap: Support bulk reads for devices without raw formatting [d5b98eb12420ce856caaf57dc5256eedc56a3747]
Markus Elfring (2): tracing: Deletion of an unnecessary check before iput() [16a8ef2751801346f1f76a18685b2beb63cd170f] video/fbdev/stifb: Return -ENOMEM after a failed kzalloc() in stifb_init_fb() [f9815f945aff2204b8afbbb9d2182024eb44a194]
Martin K. Petersen (1): scsi: mptsas: Disable WRITE SAME [94e5395d2403c8bc2504a7cbe4c4caaacb7b8b84]
Martin Kelly (2): iio:buffer: make length types match kfifo types [c043ec1ca5baae63726aae32abbe003192bc6eec] iio:kfifo_buf: check for uint overflow [3d13de4b027d5f6276c0f9d3a264f518747d83f2]
Masami Hiramatsu (3): ARM: 8771/1: kprobes: Prohibit kprobes on do_undefinstr [eb0146daefdde65665b7f076fbff7b49dade95b9] ARM: 8772/1: kprobes: Prohibit kprobes on get_user functions [0d73c3f8e7f6ee2aab1bb350f60c180f5ae21a2c] tracing/uprobe_event: Fix strncpy corner case [50268a3d266ecfdd6c5873d62b2758d9732fc598]
Mathieu Desnoyers (1): tracepoint: Do not warn on ENOMEM [d66a270be3310d7aa132fec0cea77d3d32a0ff75]
Matt Redfearn (4): MIPS: memset.S: EVA & fault support for small_memset [8a8158c85e1e774a44fbe81106fa41138580dfd1] MIPS: memset.S: Fix clobber of v1 in last_fixup [c96eebf07692e53bf4dd5987510d8b550e793598] MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup [daf70d89f80c6e1772233da9e020114b1254e7e0] MIPS: uaccess: Add micromips clobbers to bzero invocation [b3d7e55c3f886493235bfee08e1e5a4a27cbcce8]
Matthew Auld (1): drm/i915/userptr: reject zero user_size [c11c7bfd213495784b22ef82a69b6489f8d0092f]
Matthew Wilcox (1): mm/filemap.c: fix NULL pointer in page_cache_tree_insert() [abc1be13fd113ddef5e2d807a466286b864caed3]
Mauro Carvalho Chehab (1): media: v4l2-compat-ioctl32: don't oops on overlay [85ea29f19eab56ec16ec6b92bc67305998706afa]
Michael Ellerman (1): powerpc/lib: Fix off-by-one in alternate feature patching [b8858581febb050688e276b956796bc4a78299ed]
Michael Neuling (3): powerpc/64s: Clear PCR on boot [faf37c44a105f3608115785f17cbbf3500f8bc71] powerpc/eeh: Fix enabling bridge MMIO windows [13a83eac373c49c0a081cbcd137e79210fe78acd] powerpc/eeh: Fix race with driver un/bind [f0295e047fcf52ccb42561fb7de6942f5201b676]
Michael S. Tsirkin (6): virtio: add ability to iterate over vqs [24a7e4d20783c0514850f24a5c41ede46ab058f0] virtio_console: don't tie bufs to a vq [2855b33514d290c51d52d94e25d3ef942cd4d578] virtio_console: drop custom control queue cleanup [61a8950c5c5708cf2068b29ffde94e454e528208] virtio_console: free buffers after reset [a7a69ec0d8e4a58be7db88d33cbfa2912807bb2b] virtio_console: move removal code [aa44ec867030a72e8aa127977e37dec551d8df19] virtio_console: reset on out of memory [5c60300d68da32ca77f7f978039dc72bfc78b06b]
Michal Srb (1): drm/i915/cmdparser: Do not check past the cmd length. [3aec7f871c65eb5f76b4125fda432593c834a6f2]
Mika Westerberg (2): ACPI / hotplug / PCI: Check presence of slot itself in get_slot_status() [13d3047c81505cc0fb9bdae7810676e70523c8bf] ahci: Add PCI ID for Cannon Lake PCH-LP AHCI [4544e403eb25552aed7f0ee181a7a506b8800403]
Mike Frysinger (1): vt: change SGR 21 to follow the standards [65d9982d7e523a1a8e7c9af012da0d166f72fc56]
Mike Galbraith (1): sched/autogroup: Fix 64-bit kernel nice level adjustment [83929cce95251cc77e5659bf493bd424ae0e7a67]
Mike Kravetz (1): hugetlbfs: fix bug in pgoff overflow checking [5df63c2a149ae65a9ec239e7c2af44efa6f79beb]
Mikhail Lappo (1): thermal: imx: Fix race condition in imx_thermal_probe() [cf1ba1d73a33944d8c1a75370a35434bf146b8a7]
Moshe Shemesh (1): net/mlx4_en: Verify coalescing parameters are in range [6ad4e91c6d796b38a7f0e724db1de28eeb122bad]
Nicholas Piggin (5): powerpc/64: Fix smp_wmb barrier definition use use lwsync consistently [0bfdf598900fd62869659f360d3387ed80eb71cf] powerpc/powernv: Fix NVRAM sleep in invalid context when crashing [c1d2a31397ec51f0370f6bd17b19b39152c263cb] powerpc/powernv: Fix OPAL NVRAM driver OPAL_BUSY loops [3b8070335f751aac9f1526ae2e012e6f5b8b0f21] powerpc/powernv: Handle unknown OPAL errors in opal_nvram_write() [741de617661794246f84a21a02fc5e327bffc9ad] powerpc/powernv: define a standard delay for OPAL_BUSY type retry loops [34dd25de9fe3f60bfdb31b473bf04b28262d0896]
Nico Sneck (1): drm/radeon: add PX quirk for Asus K73TK [b1550359d1eb392ee54f7cf47cffcfe0a602f6a7]
Nicolas Dichtel (1): ip_tunnel: restore binding to ifaces with a large mtu [82612de1c98e610d194e34178bde3cca7dedce41]
Nicolas Ferre (1): ARM: dts: at91: at91sam9g25: fix mux-mask pinctrl property [e8fd0adf105e132fd84545997bbef3d5edc2c9c1]
Nicolin Chen (1): ASoC: fsl_esai: Fix divisor calculation failure at lower ratio [c656941df9bc80f7ec65b92ca73c42f8b0b62628]
Nikolay Borisov (3): btrfs: Fix possible softlock on single core machines [1e1c50a929bc9e49bc3f9935b92450d9e69f8158] btrfs: Handle error from btrfs_uuid_tree_rem call in _btrfs_ioctl_set_received_subvol [d87ff75863e92a500538ab53318c5740f196631e] btrfs: Refactor transaction handling in received subvolume ioctl [efd38150af45375b46576d0110a323d7fab7e142]
Ondrej Zary (2): Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad [04bb1719c4de94700056241d4c0fe3c1413f5aff] drm/i915: Disable LVDS on Radiant P845 [7f7105f99b75aca4f8c2a748ed6b82c7f8be3293]
Paolo Abeni (2): netfilter: ebtables: handle string from userspace with care [94c752f99954797da583a84c4907ff19e92550a4] team: avoid adding twice the same option to the event list [4fb0534fb7bbc2346ba7d3a072b538007f4135a5]
Paul Parsons (1): drm/radeon: Fix PCIe lane width calculation [85e290d92b4b794d0c758c53007eb4248d385386]
Peng Hao (1): kvm: x86: fix a compile warning [3140c156e919b0f5fad5c5f6cf7876c39d1d4f06]
Peter Rosin (3): i2c: pmcmsp: fix error return from master_xfer [12d9bbc5a7f347eaa65ff2a9d34995cadc05eb1b] i2c: pmcmsp: return message count on master_xfer success [de9a8634f1cb4560a35696d472cc7f1383d9b866] i2c: viperboard: return message count on master_xfer success [35cd67a0caf767aba472452865dcb4471fcce2b1]
Peter Zijlstra (5): clocksource: Initialize cs->wd_list [5b9e886a4af97574ca3ce1147f35545da0e7afc7] perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* [ef9ee4ad38445a30909c48998624861716f2a994] perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() [46b1b577229a091b137831becaa0fae8690ee15a] sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] [354d7793070611b4df5a79fbb0f12752d0ed0cc5] sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] [7281c8dec8a87685cb54d503d8cceef5a0fc2fdd]
Piaojun (1): ocfs2/dlm: wait for dlm recovery done when migrating all lock resources [60c7ec9ee4a3410c2cb08850102d363c7e207f48]
Prakash Kamliya (1): drm/msm: fix leak in failed get_pages [62e3a3e342af3c313ab38603811ecdb1fcc79edb]
Qu Wenruo (1): btrfs: tests/qgroup: Fix wrong tree backref level [3c0efdf03b2d127f0e40e30db4e7aa0429b1b79a]
Raju Rangoju (1): RDMA/cxgb4: release hw resources on device removal [26bff1bd74a4f7417509a83295614e9dab995b2a]
Rasmus Villemoes (1): drivers: tty: Merge alloc_tty_struct and initialize_tty_struct [2c964a2f4191f2229566895f1a0e85f8339f5dd1]
Ravi Chandra Sadineni (1): USB: Increment wakeup count on remote wakeup. [83a62c51ba7b3c0bf45150c4eac7aefc6c785e94]
Richard Weinberger (2): ubi: Reject MLC NAND [b5094b7f135be34630e3ea8a98fa215715d0f29d] ubifs: Check ubifs_wbuf_sync() return code [aac17948a7ce01fb60b9ee6cf902967a47b3ce26]
Robbie Ko (1): Btrfs: send, fix invalid access to commit roots due to concurrent snapshotting [6f2f0b394b54e2b159ef969a0b5274e9bbf82ff2]
Rodrigo Rivas Costa (1): HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device [a955358d54695e4ad9f7d6489a7ac4d69a8fc711]
Roland Dreier (3): RDMA/ucma: Allow resolving address w/o specifying source address [09abfe7b5b2f442a85f4c4d59ecf582ad76088d7] RDMA/ucma: Don't allow setting RDMA_OPTION_IB_PATH without an RDMA device [8435168d50e66fa5eae01852769d20a36f9e5e83] RDMA/ucma: Introduce safer rdma_addr_size() variants [84652aefb347297aa08e91e283adf7b18f77c2d5]
Romain Izard (1): ubi: Fix error for write access [78a8dfbabbece22bee58ac4cb26cab10e7a19c5d]
Ronnie Sahlberg (1): cifs: fix memory leak in SMB2_open() [b7a73c84eb96dabd6bb8e9d7c56f796d83efee8e]
Russell King (1): ARM: keystone: fix platform_domain_notifier array overrun [9954b80b8c0e8abc98e17bba0fccd9876211ceaa]
SZ Lin (1): NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2 [9306b38e42cb266f98bff6f6f4c1c652aa79ba45]
Sachin Grover (1): selinux: KASAN: slab-out-of-bounds in xattr_getsecurity [efe3de79e0b52ca281ef6691480c8c68c82a4657]
Sean Young (1): media: rc: oops in ir_timer_keyup after device unplug [8d4068810d9926250dd2435719a080b889eb44c3]
Sebastian Ott (1): s390/cio: update chpid descriptor after resource accessibility event [af2e460ade0b0180d0f3812ca4f4f59cc9597f3e]
Sekhar Nori (1): ARM: davinci: board-dm646x-evm: set VPIF capture card name [bb7298a7e87cf3430eb62be8746e5d7a07ca9d7c]
Sergei Shtylyov (1): drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen2 [8525d04ba8a6a9ecfa4bd619c988ca873a5fc2a4]
Shamir Rabinovitch (1): RDMA/ucma: ucma_context reference leak in error path [ef95a90ae6f4f21990e1f7ced6719784a409e811]
Shuah Khan (2): usbip: vhci_hcd: Fix usb device and sockfd leaks [9020a7efe537856eb3e826ebebdf38a5d07a7857] usbip: vhci_hcd: check rhport before using in vhci_hub_control() [5b22f676118ff25049382041da0db8012e57c9e8]
Song Liu (1): tracing: Fix bad use of igrab in trace_uprobe.c [0c92c7a3c5d416f47b32c5f20a611dfeca5d5f2e]
Stefan Brüns (1): drm/i915: Try EDID bitbanging on HDMI after failed read [cfb926e148e99acc02351d72e8b85e32b5f786ef]
Stefan Haberland (1): s390/dasd: fix IO error for newly defined devices [5d27a2bf6e14f5c7d1033ad1e993fcd0eba43e83]
Steve French (2): cifs: do not allow creating sockets except with SMB1 posix exensions [1d0cffa674cfa7d185a302c8c6850fc50b893bed] smb3: directory sync should not return an error [6e70c267e68d77679534dcf4aaf84e66f2cf1425]
Steven Rostedt (3): tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all} [45dd9b0666a162f8e4be76096716670cf1741f0e] tracing: Fix crash when freeing instances with event triggers [86b389ff22bd6ad8fd3cb98e41cd271886c6d023] tracing: Fix regex_match_front() to not over compare the test string [dc432c3d7f9bceb3de6f5b44fb9c657c9810ed6d]
Sudhir Sreedharan (1): rtl8187: Fix NULL pointer dereference in priv->conf_mutex [7972326a26b5bf8dc2adac575c4e03ee7e9d193a]
Sudip Mukherjee (1): libata: blacklist Micron 500IT SSD with MU01 firmware [136d769e0b3475d71350aa3648a116a6ee7a8f6c]
Sven Eckelmann (1): batman-adv: Avoid race in TT TVLV allocator helper [8ba0f9bd3bdea1058c2b2676bec7905724418e40]
Takashi Iwai (21): ALSA: aloop: Add missing cable lock to ctl API callbacks [76b3421b39bd610546931fc923edcf90c18fa395] ALSA: asihpi: Hardening for potential Spectre v1 [f9d94b57e30fd1575b4935045b32d738668aa74b] ALSA: control: Hardening for potential Spectre v1 [088e861edffb84879cf0c0d1b02eda078c3a0ffe] ALSA: hda: Hardening for potential Spectre v1 [69fa6f19b95597618ab30438a27b67ad93daa7c7] ALSA: hdspm: Hardening for potential Spectre v1 [10513142a7114d251670361ad40cba2c61403406] ALSA: opl3: Hardening for potential Spectre v1 [7f054a5bee0987f1e2d4e59daea462421c76f2cb] ALSA: pcm: Avoid potential races between OSS ioctls and read/write [02a5d6925cd34c3b774bdb8eefb057c40a30e870] ALSA: pcm: Check PCM state at xfern compat ioctl [f13876e2c33a657a71bcbb10f767c0951b165020] ALSA: pcm: Fix UAF at PCM release via PCM timer access [a820ccbe21e8ce8e86c39cd1d3bc8c7d1cbb949b] ALSA: pcm: Fix endless loop for XRUN recovery in OSS emulation [e15dc99dbb9cf99f6432e8e3c0b3a8f7a3403a86] ALSA: pcm: Fix mutex unbalance in OSS emulation ioctls [f6d297df4dd47ef949540e4a201230d0c5308325] ALSA: pcm: Return -EBUSY for OSS ioctls changing busy streams [40cab6e88cb0b6c56d3f30b7491a20e803f948f6] ALSA: pcm: Use ERESTARTSYS instead of EINTR in OSS emulation [c64ed5dd9feba193c76eb460b451225ac2a0d87b] ALSA: rawmidi: Fix missing input substream checks in compat ioctls [8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11] ALSA: rme9652: Hardening for potential Spectre v1 [f526afcd8f71945c23ce581d7864ace93de8a4f7] ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() [8f22e52528cc372b218b5f100457469615c733ce] ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device [f5e94b4c6ebdabe0f602d796e0430180927521a0] ALSA: seq: oss: Hardening for potential Spectre v1 [8d218dd8116695ecda7164f97631c069938aa22e] ALSA: timer: Call notifier in the same spinlock [f65e0d299807d8a11812845c972493c3f9a18e10] ALSA: usb-audio: Skip broken EU on Dell dock USB-audio [1d8d6428d1da642ddd75b0be2d1bb1123ff8e017] resource: fix integer overflow at reallocation [60bb83b81169820c691fbfa33a6a4aef32aa4b0b]
Tarick Bedeir (1): net/mlx4_core: Fix error handling in mlx4_init_port_info. [57f6f99fdad9984801cde05c1db68fe39b474a10]
Tejun Heo (1): libata: Blacklist some Sandisk SSDs for NCQ [322579dcc865b94b47345ad1b6002ad167f85405]
Tetsuo Handa (4): tty: Avoid possible error pointer dereference at tty_ldisc_restore(). [598c2d41ff44889dd8eced4f117403e472158d85] tty: Don't call panic() at tty_ldisc_init() [903f9db10f18f735e62ba447147b6c434b6af003] tty: Use __GFP_NOFAIL for tty_ldisc_get() [bcdd0ca8cb8730573afebcaae4138f8f4c8eaa20] x86/kexec: Avoid double free_page() upon do_kexec_load() failure [a466ef76b815b86748d9870ef2a430af7b39c710]
Theodore Ts'o (6): ext4: add bounds checking to ext4_xattr_find_entry() [9496005d6ca4cf8f5ee8f828165a8956872dc59d] ext4: add extra checks to ext4_xattr_block_get() [54dd0e0a1b255f115f8647fc6fb93273251b01b9] ext4: don't update checksum of new initialized bitmaps [044e6e3d74a3d7103a0c8a9305dfd94d64000660] ext4: force revalidation of directory pointer after seekdir(2) [e40ff213898502d299351cc2fe1e350cd186f0d3] ext4: set h_journal if there is a failure starting a reserved handle [b2569260d55228b617bd82aba6d0db2faeeb4116] jbd2: if the journal is aborted then don't allow update of the log tail [85e0c4e89c1b864e763c4e3bb15d0b6d501ad5d9]
Thinh Nguyen (1): usb: dwc3: pci: Properly cleanup resource [cabdf83dadfb3d83eec31e0f0638a92dbd716435]
Tony Lindgren (1): net: davinci_emac: Fix runtime pm calls for davinci_emac [b5133e7a988b2cf8e1cd2b23231f36aff35ceffc]
Toshiaki Makita (1): vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi [7ce2367254e84753bceb07327aaf5c953cfce117]
Uwe Kleine-König (1): serial: altera: ensure port->regshift is honored consistently [0e254963b6ba4d63ac911e79537fea38dd03dc50]
Vasily Gorbik (1): s390/ipl: ensure loadparm valid flag is set [15deb080a6087b73089139569558965750e69d67]
Vasyl Vavrychuk (1): USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster [470b5d6f0cf4674be2d1ec94e54283a1770b6a1a]
Wei Huang (1): KVM: x86: Update cpuid properly when CR4.OSXAVE or CR4.PKE is changed [c4d2188206bafa177ea58e9a25b952baa0bf7712]
Wenwen Wang (1): ALSA: control: fix a redundant-copy issue [3f12888dfae2a48741c4caa9214885b3aaf350f9]
Willem de Bruijn (2): net: test tailroom before appending to linear skb [113f99c3358564a0647d444c2ae34e8b1abfd5b9] packet: fix bitfield update race [a6361f0ca4b25460f2cdf3235ebe8115f622901e]
Wolfgang Bumiller (1): net: fix deadlock while clearing neighbor proxy table [53b76cdf7e8fecec1d09e38aad2f8579882591a8]
Xiaoming Gao (1): x86/tsc: Prevent 32bit truncation in calc_hpet_ref() [d3878e164dcd3925a237a20e879432400e369172]
Xin Long (5): bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave [ddea788c63094f7c483783265563dd5b50052e28] sctp: do not check port in sctp_inet6_cmp_addr [1071ec9d453a38023579714b64a951a2fb982071] sctp: fix the issue that the cookie-ack with auth can't get processed [ce402f044e4e432c296f90eaabb8dbe8f3624391] sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr [d625329b06e46bd20baf9ee40847d11982569204] team: fix netconsole setup over team [9cf2f437ca5b39828984064fad213e68fc17ef11]
Yazen Ghannam (1): x86/smpboot: Don't use mwait_play_dead() on AMD systems [da6fa7ef67f07108a1b0cb9fd9e7fcaabd39c051]
Yishai Hadas (1): RDMA/mlx5: Don't assume that medium blueFlame register exists [18b0362e87dfa09e355093b897b9db854e360d28]
Zheng Yan (1): ceph: always update atime/mtime/ctime for new inode [ffdeec7aa41aa61ca4ee68fddf4669df9ce661d1]
Zhengjun Xing (1): USB:fix USB3 devices behind USB3 hubs not resuming at hibernate thaw [64627388b50158fd24d6ad88132525b95a5ef573]
Łukasz Stelmach (1): ARM: 8753/1: decompressor: add a missing parameter to the addruart macro [e07e3c33b9c0b5751ade624f44325c9bf2487ea6]
Documentation/networking/ppp_generic.txt | 6 - Makefile | 4 +- arch/arc/include/asm/Kbuild | 1 + arch/arm/boot/compressed/head.S | 16 +- arch/arm/boot/compressed/misc.c | 9 +- arch/arm/boot/dts/at91sam9g25.dtsi | 2 +- arch/arm/crypto/Makefile | 2 + arch/arm/include/asm/assembler.h | 10 + arch/arm/kernel/traps.c | 5 +- arch/arm/kvm/arm.c | 15 +- arch/arm/lib/getuser.S | 4 + arch/arm/mach-davinci/board-dm646x-evm.c | 3 +- arch/arm/mach-keystone/pm_domain.c | 1 + arch/avr32/include/asm/Kbuild | 1 + arch/blackfin/include/asm/Kbuild | 1 + arch/c6x/include/asm/Kbuild | 1 + arch/cris/include/asm/Kbuild | 1 + arch/frv/include/asm/Kbuild | 1 + arch/hexagon/include/asm/Kbuild | 1 + arch/ia64/include/asm/Kbuild | 1 + arch/m32r/include/asm/Kbuild | 1 + arch/metag/include/asm/Kbuild | 1 + arch/microblaze/include/asm/Kbuild | 1 + arch/mips/include/asm/Kbuild | 1 + arch/mips/include/asm/uaccess.h | 11 +- arch/mips/kernel/ptrace.c | 24 ++- arch/mips/kernel/ptrace32.c | 6 +- arch/mips/kvm/kvm_mips.c | 2 +- arch/mips/lib/memset.S | 11 +- arch/mn10300/include/asm/Kbuild | 1 + arch/parisc/kernel/drivers.c | 4 + arch/parisc/kernel/hpmc.S | 6 +- arch/powerpc/include/asm/barrier.h | 3 +- arch/powerpc/include/asm/opal.h | 3 + arch/powerpc/include/asm/synch.h | 4 - arch/powerpc/kernel/cpu_setup_power.S | 4 + arch/powerpc/kernel/eeh_driver.c | 61 ++++-- arch/powerpc/kernel/eeh_pe.c | 3 +- arch/powerpc/lib/feature-fixups.c | 2 +- arch/powerpc/mm/hugetlbpage.c | 17 +- arch/powerpc/platforms/powernv/opal-nvram.c | 21 +- arch/s390/hypfs/inode.c | 2 +- arch/s390/include/asm/Kbuild | 1 + arch/s390/kernel/ipl.c | 1 + arch/s390/kernel/perf_cpum_sf.c | 4 + arch/score/include/asm/Kbuild | 1 + arch/tile/include/asm/Kbuild | 1 + arch/um/include/asm/Kbuild | 1 + arch/um/os-Linux/signal.c | 2 +- arch/unicore32/include/asm/Kbuild | 1 + arch/x86/boot/compressed/eboot.c | 6 +- arch/x86/crypto/cast5_avx_glue.c | 3 +- arch/x86/include/asm/apic.h | 4 +- arch/x86/include/asm/x2apic.h | 2 +- arch/x86/kernel/acpi/boot.c | 18 +- arch/x86/kernel/apic/apic_numachip.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/machine_kexec_64.c | 4 +- arch/x86/kernel/smpboot.c | 2 + arch/x86/kernel/tsc.c | 2 +- arch/x86/kvm/x86.c | 7 +- arch/x86/mm/dump_pagetables.c | 10 +- arch/x86/net/bpf_jit_comp.c | 3 +- arch/x86/um/stub_segv.c | 2 +- arch/x86/xen/mmu.c | 6 +- arch/xtensa/include/asm/Kbuild | 1 + crypto/af_alg.c | 8 +- crypto/ahash.c | 7 +- drivers/ata/ahci.c | 1 + drivers/ata/libata-core.c | 8 + drivers/atm/zatm.c | 3 + drivers/base/regmap/regmap.c | 22 +- drivers/char/virtio_console.c | 157 +++++++------- drivers/gpu/drm/drm_fops.c | 1 + drivers/gpu/drm/i915/i915_cmd_parser.c | 80 ++++--- drivers/gpu/drm/i915/i915_drv.h | 5 + drivers/gpu/drm/i915/i915_gem_userptr.c | 3 + drivers/gpu/drm/i915/intel_hdmi.c | 14 +- drivers/gpu/drm/i915/intel_lvds.c | 11 +- drivers/gpu/drm/msm/msm_gem.c | 30 ++- drivers/gpu/drm/radeon/radeon_device.c | 15 +- drivers/gpu/drm/radeon/si_dpm.c | 4 +- drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 10 +- drivers/hid/hid-core.c | 12 +- drivers/hid/hidraw.c | 5 + drivers/hid/i2c-hid/i2c-hid.c | 13 +- drivers/hwmon/nct6683.c | 4 +- drivers/hwmon/nct6775.c | 10 +- drivers/hwmon/pmbus/adm1275.c | 4 +- drivers/hwmon/pmbus/max8688.c | 2 +- drivers/i2c/busses/i2c-pmcmsp.c | 4 +- drivers/i2c/busses/i2c-viperboard.c | 2 +- drivers/iio/kfifo_buf.c | 11 +- drivers/infiniband/core/addr.c | 16 ++ drivers/infiniband/core/iwpm_util.c | 5 +- drivers/infiniband/core/ucma.c | 43 ++-- drivers/infiniband/hw/cxgb4/cq.c | 11 +- drivers/infiniband/hw/cxgb4/device.c | 8 + drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 6 +- drivers/infiniband/hw/cxgb4/qp.c | 4 +- drivers/infiniband/hw/cxgb4/resource.c | 26 ++- drivers/infiniband/hw/mlx5/qp.c | 39 ++-- drivers/infiniband/ulp/srp/ib_srp.c | 8 +- drivers/input/serio/i8042-x86ia64io.h | 24 +++ drivers/media/pci/cx25821/cx25821-core.c | 7 +- drivers/media/platform/s3c-camif/camif-capture.c | 7 +- drivers/media/rc/rc-main.c | 4 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 4 +- drivers/message/fusion/mptsas.c | 1 + drivers/mmc/host/jz4740_mmc.c | 2 +- drivers/mtd/chips/cfi_cmdset_0001.c | 33 ++- drivers/mtd/chips/cfi_cmdset_0002.c | 9 +- drivers/mtd/ubi/block.c | 2 +- drivers/mtd/ubi/build.c | 11 + drivers/net/bonding/bond_main.c | 3 +- drivers/net/can/usb/kvaser_usb.c | 2 +- drivers/net/ethernet/broadcom/bcmsysport.c | 11 +- drivers/net/ethernet/broadcom/genet/bcmgenet.c | 11 +- drivers/net/ethernet/cisco/enic/enic_main.c | 8 +- drivers/net/ethernet/marvell/sky2.c | 2 +- drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 16 ++ drivers/net/ethernet/mellanox/mlx4/main.c | 4 +- drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 7 +- drivers/net/ethernet/mellanox/mlx4/qp.c | 4 +- drivers/net/ethernet/ti/cpsw.c | 13 +- drivers/net/ethernet/ti/davinci_cpdma.c | 2 +- drivers/net/ethernet/ti/davinci_emac.c | 62 ++++-- drivers/net/ppp/ppp_generic.c | 136 +++++++----- drivers/net/ppp/pppoe.c | 4 + drivers/net/team/team.c | 38 +++- drivers/net/usb/qmi_wwan.c | 13 ++ drivers/net/vmxnet3/vmxnet3_drv.c | 137 ++++++++---- drivers/net/vmxnet3/vmxnet3_int.h | 8 +- drivers/net/wireless/rtl818x/rtl8187/dev.c | 2 +- drivers/parport/parport_pc.c | 4 + drivers/pci/hotplug/acpiphp_glue.c | 23 +- drivers/pci/quirks.c | 13 ++ drivers/pinctrl/pinctrl-single.c | 22 +- drivers/rtc/rtc-snvs.c | 15 +- drivers/rtc/rtc-tx4939.c | 6 +- drivers/s390/block/dasd_alias.c | 16 +- drivers/s390/cio/chsc.c | 14 +- drivers/s390/cio/qdio_main.c | 42 ++-- drivers/s390/cio/qdio_setup.c | 12 +- drivers/s390/net/qeth_core_main.c | 8 +- drivers/s390/scsi/zfcp_dbf.c | 23 +- drivers/s390/scsi/zfcp_ext.h | 5 +- drivers/s390/scsi/zfcp_scsi.c | 14 +- drivers/scsi/qla2xxx/qla_init.c | 3 +- drivers/scsi/sd.c | 2 + drivers/staging/line6/midi.c | 2 +- drivers/staging/rtl8192u/r8192U_core.c | 2 + drivers/staging/usbip/usbip_common.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 8 +- drivers/thermal/imx_thermal.c | 19 +- drivers/tty/Makefile | 3 +- drivers/tty/n_null.c | 80 +++++++ drivers/tty/pty.c | 19 +- drivers/tty/serial/altera_uart.c | 6 +- drivers/tty/serial/arc_uart.c | 8 +- drivers/tty/serial/fsl_lpuart.c | 4 + drivers/tty/serial/imx.c | 6 + drivers/tty/serial/mxs-auart.c | 5 + drivers/tty/serial/pxa.c | 4 + drivers/tty/serial/xilinx_uartps.c | 2 +- drivers/tty/tty_io.c | 42 ++-- drivers/tty/tty_ldisc.c | 68 +++--- drivers/tty/vt/vt.c | 6 +- drivers/usb/core/config.c | 4 +- drivers/usb/core/generic.c | 9 +- drivers/usb/core/hcd.c | 1 + drivers/usb/core/hub.c | 10 +- drivers/usb/core/quirks.c | 3 + drivers/usb/dwc3/dwc3-pci.c | 2 +- drivers/usb/host/xhci-pci.c | 5 +- drivers/usb/musb/musb_gadget_ep0.c | 14 +- drivers/usb/musb/musb_host.c | 4 +- drivers/usb/serial/Kconfig | 1 + drivers/usb/serial/cp210x.c | 2 + drivers/usb/serial/ftdi_sio.c | 5 +- drivers/usb/serial/ftdi_sio_ids.h | 9 + drivers/usb/serial/usb-serial-simple.c | 7 + drivers/usb/serial/visor.c | 69 +++--- drivers/video/fbdev/stifb.c | 2 +- drivers/watchdog/f71808e_wdt.c | 2 +- drivers/xen/swiotlb-xen.c | 2 +- drivers/xen/xen-acpi-processor.c | 6 +- fs/affs/namei.c | 10 +- fs/afs/security.c | 13 +- fs/aio.c | 7 +- fs/autofs4/root.c | 2 +- fs/btrfs/ctree.c | 16 +- fs/btrfs/extent-tree.c | 1 + fs/btrfs/inode.c | 231 +++++++++++++------- fs/btrfs/ioctl.c | 22 +- fs/btrfs/tests/qgroup-tests.c | 2 +- fs/btrfs/tree-log.c | 12 +- fs/buffer.c | 2 +- fs/ceph/inode.c | 10 +- fs/cifs/cifsfs.c | 13 ++ fs/cifs/dir.c | 9 +- fs/cifs/smb2pdu.c | 49 +++-- fs/dcache.c | 22 ++ fs/ecryptfs/inode.c | 3 +- fs/ext2/inode.c | 10 - fs/ext2/namei.c | 6 +- fs/ext3/namei.c | 6 +- fs/ext4/balloc.c | 3 +- fs/ext4/dir.c | 8 +- fs/ext4/ialloc.c | 43 +--- fs/ext4/indirect.c | 5 +- fs/ext4/namei.c | 6 +- fs/ext4/xattr.c | 86 +++++--- fs/ext4/xattr.h | 11 + fs/f2fs/f2fs.h | 1 + fs/f2fs/gc.c | 2 +- fs/f2fs/inode.c | 23 ++ fs/f2fs/namei.c | 52 ++--- fs/fs-writeback.c | 2 +- fs/hugetlbfs/inode.c | 10 +- fs/jbd2/journal.c | 5 +- fs/jbd2/transaction.c | 1 + fs/jffs2/dir.c | 12 +- fs/jffs2/super.c | 2 +- fs/jfs/namei.c | 12 +- fs/namespace.c | 3 +- fs/nilfs2/namei.c | 6 +- fs/notify/fanotify/fanotify.c | 34 ++- fs/ocfs2/dlm/dlmcommon.h | 1 + fs/ocfs2/dlm/dlmdomain.c | 15 ++ fs/ocfs2/dlm/dlmrecovery.c | 13 +- fs/proc/proc_sysctl.c | 3 + fs/reiserfs/journal.c | 2 +- fs/reiserfs/namei.c | 12 +- fs/ubifs/super.c | 14 +- fs/udf/ialloc.c | 7 +- fs/udf/namei.c | 106 ++++----- fs/ufs/ialloc.c | 6 +- fs/ufs/namei.c | 14 +- include/asm-generic/word-at-a-time.h | 80 ++++++- include/linux/clk-provider.h | 3 +- include/linux/dcache.h | 1 + include/linux/efi.h | 8 +- include/linux/hid.h | 4 +- include/linux/iio/buffer.h | 6 +- include/linux/log2.h | 13 +- include/linux/msg.h | 4 +- include/linux/mtd/flashchip.h | 1 + include/linux/shm.h | 4 +- include/linux/string.h | 3 + include/linux/tty.h | 6 +- include/linux/virtio.h | 3 + include/net/dst.h | 1 + include/net/inet_timewait_sock.h | 1 + include/net/nexthop.h | 2 +- include/rdma/ib_addr.h | 2 + include/sound/control.h | 7 +- include/sound/pcm_oss.h | 1 + include/trace/events/xen.h | 16 -- include/uapi/linux/ppp-ioctl.h | 2 +- include/uapi/linux/tty.h | 1 + ipc/msg.c | 19 +- ipc/msgutil.c | 2 +- ipc/sem.c | 38 ++-- ipc/shm.c | 116 +++++++--- ipc/util.c | 9 + ipc/util.h | 11 + kernel/resource.c | 3 +- kernel/sched/auto_group.c | 9 +- kernel/sched/core.c | 3 + kernel/sys.c | 4 + kernel/time/clocksource.c | 2 + kernel/time/tick-broadcast.c | 8 + kernel/trace/trace_events_filter.c | 3 + kernel/trace/trace_events_trigger.c | 5 +- kernel/trace/trace_uprobe.c | 32 ++- kernel/tracepoint.c | 4 +- lib/string.c | 88 ++++++++ mm/filemap.c | 7 +- mm/mmap.c | 32 +++ net/atm/lec.c | 9 +- net/batman-adv/translation-table.c | 93 ++++++-- net/bridge/netfilter/ebtables.c | 3 +- net/ceph/messenger.c | 7 + net/compat.c | 6 +- net/core/dev.c | 3 +- net/core/dev_addr_lists.c | 4 +- net/core/neighbour.c | 30 ++- net/core/skbuff.c | 1 + net/dccp/ccids/ccid2.c | 14 +- net/dccp/timer.c | 2 +- net/dns_resolver/dns_key.c | 14 +- net/ipv4/inet_timewait_sock.c | 1 + net/ipv4/ip_output.c | 3 +- net/ipv4/ip_tunnel.c | 17 +- net/ipv4/ping.c | 7 +- net/ipv4/route.c | 118 +++++----- net/ipv4/tcp.c | 8 +- net/ipv4/tcp_input.c | 7 +- net/ipv4/tcp_output.c | 7 +- net/ipv4/udp.c | 7 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_output.c | 3 +- net/ipv6/ip6_tunnel.c | 8 +- net/ipv6/ip6_vti.c | 7 +- net/ipv6/route.c | 2 + net/ipv6/sit.c | 8 +- net/ipv6/xfrm6_policy.c | 2 +- net/l2tp/l2tp_core.c | 260 ++++++++++------------- net/l2tp/l2tp_core.h | 7 +- net/l2tp/l2tp_debugfs.c | 18 +- net/l2tp/l2tp_netlink.c | 28 ++- net/l2tp/l2tp_ppp.c | 43 +++- net/llc/af_llc.c | 17 +- net/netfilter/ipvs/ip_vs_core.c | 8 + net/netfilter/ipvs/ip_vs_ctl.c | 15 +- net/netfilter/ipvs/ip_vs_sync.c | 10 +- net/netfilter/nf_tables_api.c | 59 ++--- net/netlink/af_netlink.c | 2 + net/packet/af_packet.c | 86 +++++--- net/packet/internal.h | 10 +- net/rfkill/rfkill-gpio.c | 7 +- net/sched/sch_fq.c | 37 ++-- net/sctp/inqueue.c | 2 +- net/sctp/ipv6.c | 65 +++--- net/sunrpc/rpc_pipe.c | 1 + security/selinux/ss/services.c | 2 +- sound/core/control_compat.c | 3 +- sound/core/oss/pcm_oss.c | 186 ++++++++++++---- sound/core/pcm.c | 8 +- sound/core/pcm_compat.c | 2 + sound/core/pcm_native.c | 1 + sound/core/rawmidi_compat.c | 18 +- sound/core/seq/oss/seq_oss_event.c | 15 +- sound/core/seq/oss/seq_oss_midi.c | 2 + sound/core/seq/oss/seq_oss_synth.c | 85 ++++---- sound/core/seq/oss/seq_oss_synth.h | 3 +- sound/core/seq/seq_virmidi.c | 4 +- sound/core/timer.c | 222 +++++++++---------- sound/drivers/aloop.c | 17 +- sound/drivers/opl3/opl3_synth.c | 7 +- sound/pci/asihpi/hpimsginit.c | 39 ++-- sound/pci/asihpi/hpioctl.c | 4 +- sound/pci/hda/hda_hwdep.c | 12 +- sound/pci/rme9652/hdspm.c | 24 ++- sound/pci/rme9652/rme9652.c | 6 +- sound/soc/codecs/ssm2602.c | 19 +- sound/soc/fsl/fsl_esai.c | 7 + sound/usb/mixer.c | 8 + sound/usb/mixer_maps.c | 3 + tools/perf/Documentation/perf-top.txt | 3 + tools/perf/builtin-record.c | 2 +- 354 files changed, 3603 insertions(+), 1941 deletions(-)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Gerasiov gq@redlab-i.ru
commit 823f7923833c6cc2b16e601546d607dcfb368004 upstream.
WCH CH382L is a PCI-E adapter with 1 parallel port. It is similair to CH382 but serial ports are not soldered on board. Detected as Serial controller: Device 1c00:3050 (rev 10) (prog-if 05 [16850])
Signed-off-by: Alexander Gerasiov gq@redlab-i.ru Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/parport/parport_pc.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/parport/parport_pc.c +++ b/drivers/parport/parport_pc.c @@ -2616,6 +2616,7 @@ enum parport_pc_pci_cards { netmos_9901, netmos_9865, quatech_sppxp100, + wch_ch382l, };
@@ -2678,6 +2679,7 @@ static struct parport_pc_pci { /* netmos_9901 */ { 1, { { 0, -1 }, } }, /* netmos_9865 */ { 1, { { 0, -1 }, } }, /* quatech_sppxp100 */ { 1, { { 0, 1 }, } }, + /* wch_ch382l */ { 1, { { 2, -1 }, } }, };
static const struct pci_device_id parport_pc_pci_tbl[] = { @@ -2767,6 +2769,8 @@ static const struct pci_device_id parpor /* Quatech SPPXP-100 Parallel port PCI ExpressCard */ { PCI_VENDOR_ID_QUATECH, PCI_DEVICE_ID_QUATECH_SPPXP_100, PCI_ANY_ID, PCI_ANY_ID, 0, 0, quatech_sppxp100 }, + /* WCH CH382L PCI-E single parallel port card */ + { 0x1c00, 0x3050, 0x1c00, 0x3050, 0, 0, wch_ch382l }, { 0, } /* terminate list */ }; MODULE_DEVICE_TABLE(pci, parport_pc_pci_tbl);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König u.kleine-koenig@pengutronix.de
commit 0e254963b6ba4d63ac911e79537fea38dd03dc50 upstream.
Most register accesses in the altera driver honor port->regshift by using altera_uart_writel(). There are a few accesses however that were missed when the driver was converted to use port->regshift and some others were added later in commit 4d9d7d896d77 ("serial: altera_uart: add earlycon support").
Fixes: 2780ad42f5fe ("tty: serial: altera_uart: Use port->regshift to store bus shift") Signed-off-by: Uwe Kleine-König u.kleine-koenig@pengutronix.de Acked-by: Tobias Klauser tklauser@distanz.ch Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: Drop changes in altera_uart_earlycon_setup()] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/serial/altera_uart.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/tty/serial/altera_uart.c +++ b/drivers/tty/serial/altera_uart.c @@ -335,7 +335,7 @@ static int altera_uart_startup(struct ua
/* Enable RX interrupts now */ pp->imr = ALTERA_UART_CONTROL_RRDY_MSK; - writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG); + altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG);
spin_unlock_irqrestore(&port->lock, flags);
@@ -351,7 +351,7 @@ static void altera_uart_shutdown(struct
/* Disable all interrupts now */ pp->imr = 0; - writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG); + altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG);
spin_unlock_irqrestore(&port->lock, flags);
@@ -441,7 +441,7 @@ static void altera_uart_console_putc(str ALTERA_UART_STATUS_TRDY_MSK)) cpu_relax();
- writel(c, port->membase + ALTERA_UART_TXDATA_REG); + altera_uart_writel(port, c, ALTERA_UART_TXDATA_REG); }
static void altera_uart_console_write(struct console *co, const char *s,
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann jwi@linux.vnet.ibm.com
commit 0cf1e05157b9e5530dcc3ca9fec9bf617fc93375 upstream.
On an Output queue, both EMPTY and PENDING buffer states imply that the buffer is ready for completion-processing by the upper-layer drivers.
So for a non-QEBSM Output queue, get_buf_states() merges mixed batches of PENDING and EMPTY buffers into one large batch of EMPTY buffers. The upper-layer driver (ie. qeth) later distuingishes PENDING from EMPTY by inspecting the slsb_state for QDIO_OUTBUF_STATE_FLAG_PENDING.
But the merge logic in get_buf_states() contains a bug that causes us to erronously also merge ERROR buffers into such a batch of EMPTY buffers (ERROR is 0xaf, EMPTY is 0xa1; so ERROR & EMPTY == EMPTY). Effectively, most outbound ERROR buffers are currently discarded silently and processed as if they had succeeded.
Note that this affects _all_ non-QEBSM device types, not just IQD with CQ.
Fix it by explicitly spelling out the exact conditions for merging.
For extracting the "get initial state" part out of the loop, this relies on the fact that get_buf_states() is never called with a count of 0. The QEBSM path already strictly requires this, and the two callers with variable 'count' make sure of it.
Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks") Signed-off-by: Julian Wiedmann jwi@linux.vnet.ibm.com Reviewed-by: Ursula Braun ubraun@linux.vnet.ibm.com Reviewed-by: Benjamin Block bblock@linux.vnet.ibm.com Signed-off-by: Martin Schwidefsky schwidefsky@de.ibm.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/s390/cio/qdio_main.c | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-)
--- a/drivers/s390/cio/qdio_main.c +++ b/drivers/s390/cio/qdio_main.c @@ -212,7 +212,10 @@ again: return 0; }
-/* returns number of examined buffers and their common state in *state */ +/* + * Returns number of examined buffers and their common state in *state. + * Requested number of buffers-to-examine must be > 0. + */ static inline int get_buf_states(struct qdio_q *q, unsigned int bufnr, unsigned char *state, unsigned int count, int auto_ack, int merge_pending) @@ -223,17 +226,23 @@ static inline int get_buf_states(struct if (is_qebsm(q)) return qdio_do_eqbs(q, state, bufnr, count, auto_ack);
- for (i = 0; i < count; i++) { - if (!__state) { - __state = q->slsb.val[bufnr]; - if (merge_pending && __state == SLSB_P_OUTPUT_PENDING) - __state = SLSB_P_OUTPUT_EMPTY; - } else if (merge_pending) { - if ((q->slsb.val[bufnr] & __state) != __state) - break; - } else if (q->slsb.val[bufnr] != __state) - break; + /* get initial state: */ + __state = q->slsb.val[bufnr]; + if (merge_pending && __state == SLSB_P_OUTPUT_PENDING) + __state = SLSB_P_OUTPUT_EMPTY; + + for (i = 1; i < count; i++) { bufnr = next_buf(bufnr); + + /* merge PENDING into EMPTY: */ + if (merge_pending && + q->slsb.val[bufnr] == SLSB_P_OUTPUT_PENDING && + __state == SLSB_P_OUTPUT_EMPTY) + continue; + + /* stop if next state differs from initial state: */ + if (q->slsb.val[bufnr] != __state) + break; } *state = __state; return i;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 40cab6e88cb0b6c56d3f30b7491a20e803f948f6 upstream.
OSS PCM stream management isn't modal but it allows ioctls issued at any time for changing the parameters. In the previous hardening patch ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write"), we covered these races and prevent the corruption by protecting the concurrent accesses via params_lock mutex. However, this means that some ioctls that try to change the stream parameter (e.g. channels or format) would be blocked until the read/write finishes, and it may take really long.
Basically changing the parameter while reading/writing is an invalid operation, hence it's even more user-friendly from the API POV if it returns -EBUSY in such a situation.
This patch adds such checks in the relevant ioctls with the addition of read/write access refcount.
Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/sound/pcm_oss.h | 1 + sound/core/oss/pcm_oss.c | 36 +++++++++++++++++++++++++++--------- 2 files changed, 28 insertions(+), 9 deletions(-)
--- a/include/sound/pcm_oss.h +++ b/include/sound/pcm_oss.h @@ -57,6 +57,7 @@ struct snd_pcm_oss_runtime { char *buffer; /* vmallocated period */ size_t buffer_used; /* used length from period buffer */ struct mutex params_lock; + atomic_t rw_ref; /* concurrent read/write accesses */ #ifdef CONFIG_SND_PCM_OSS_PLUGINS struct snd_pcm_plugin *plugin_first; struct snd_pcm_plugin *plugin_last; --- a/sound/core/oss/pcm_oss.c +++ b/sound/core/oss/pcm_oss.c @@ -1406,6 +1406,7 @@ static ssize_t snd_pcm_oss_write1(struct if (atomic_read(&substream->mmap_count)) return -ENXIO;
+ atomic_inc(&runtime->oss.rw_ref); while (bytes > 0) { if (mutex_lock_interruptible(&runtime->oss.params_lock)) { tmp = -ERESTARTSYS; @@ -1469,6 +1470,7 @@ static ssize_t snd_pcm_oss_write1(struct } tmp = 0; } + atomic_dec(&runtime->oss.rw_ref); return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp; }
@@ -1514,6 +1516,7 @@ static ssize_t snd_pcm_oss_read1(struct if (atomic_read(&substream->mmap_count)) return -ENXIO;
+ atomic_inc(&runtime->oss.rw_ref); while (bytes > 0) { if (mutex_lock_interruptible(&runtime->oss.params_lock)) { tmp = -ERESTARTSYS; @@ -1562,6 +1565,7 @@ static ssize_t snd_pcm_oss_read1(struct } tmp = 0; } + atomic_dec(&runtime->oss.rw_ref); return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp; }
@@ -1668,8 +1672,11 @@ static int snd_pcm_oss_sync(struct snd_p goto __direct; if ((err = snd_pcm_oss_make_ready(substream)) < 0) return err; - if (mutex_lock_interruptible(&runtime->oss.params_lock)) + atomic_inc(&runtime->oss.rw_ref); + if (mutex_lock_interruptible(&runtime->oss.params_lock)) { + atomic_dec(&runtime->oss.rw_ref); return -ERESTARTSYS; + } format = snd_pcm_oss_format_from(runtime->oss.format); width = snd_pcm_format_physical_width(format); if (runtime->oss.buffer_used > 0) { @@ -1681,10 +1688,8 @@ static int snd_pcm_oss_sync(struct snd_p runtime->oss.buffer + runtime->oss.buffer_used, size); err = snd_pcm_oss_sync1(substream, runtime->oss.period_bytes); - if (err < 0) { - mutex_unlock(&runtime->oss.params_lock); - return err; - } + if (err < 0) + goto unlock; } else if (runtime->oss.period_ptr > 0) { #ifdef OSS_DEBUG pcm_dbg(substream->pcm, "sync: period_ptr\n"); @@ -1694,10 +1699,8 @@ static int snd_pcm_oss_sync(struct snd_p runtime->oss.buffer, size * 8 / width); err = snd_pcm_oss_sync1(substream, size); - if (err < 0) { - mutex_unlock(&runtime->oss.params_lock); - return err; - } + if (err < 0) + goto unlock; } /* * The ALSA's period might be a bit large than OSS one. @@ -1728,7 +1731,11 @@ static int snd_pcm_oss_sync(struct snd_p snd_pcm_lib_writev(substream, buffers, size); } } +unlock: mutex_unlock(&runtime->oss.params_lock); + atomic_dec(&runtime->oss.rw_ref); + if (err < 0) + return err; /* * finish sync: drain the buffer */ @@ -1776,6 +1783,8 @@ static int snd_pcm_oss_set_rate(struct s rate = 192000; if (mutex_lock_interruptible(&runtime->oss.params_lock)) return -ERESTARTSYS; + if (atomic_read(&runtime->oss.rw_ref)) + return -EBUSY; if (runtime->oss.rate != rate) { runtime->oss.params = 1; runtime->oss.rate = rate; @@ -1810,6 +1819,8 @@ static int snd_pcm_oss_set_channels(stru runtime = substream->runtime; if (mutex_lock_interruptible(&runtime->oss.params_lock)) return -ERESTARTSYS; + if (atomic_read(&runtime->oss.rw_ref)) + return -EBUSY; if (runtime->oss.channels != channels) { runtime->oss.params = 1; runtime->oss.channels = channels; @@ -1898,6 +1909,8 @@ static int snd_pcm_oss_set_format(struct if (substream == NULL) continue; runtime = substream->runtime; + if (atomic_read(&runtime->oss.rw_ref)) + return -EBUSY; if (mutex_lock_interruptible(&runtime->oss.params_lock)) return -ERESTARTSYS; if (runtime->oss.format != format) { @@ -1952,6 +1965,8 @@ static int snd_pcm_oss_set_subdivide(str if (substream == NULL) continue; runtime = substream->runtime; + if (atomic_read(&runtime->oss.rw_ref)) + return -EBUSY; if (mutex_lock_interruptible(&runtime->oss.params_lock)) return -ERESTARTSYS; err = snd_pcm_oss_set_subdivide1(substream, subdivide); @@ -1990,6 +2005,8 @@ static int snd_pcm_oss_set_fragment(stru if (substream == NULL) continue; runtime = substream->runtime; + if (atomic_read(&runtime->oss.rw_ref)) + return -EBUSY; if (mutex_lock_interruptible(&runtime->oss.params_lock)) return -ERESTARTSYS; err = snd_pcm_oss_set_fragment1(substream, val); @@ -2384,6 +2401,7 @@ static void snd_pcm_oss_init_substream(s runtime->oss.maxfrags = 0; runtime->oss.subdivision = 0; substream->pcm_release = snd_pcm_oss_release_substream; + atomic_set(&runtime->oss.rw_ref, 0); }
static int snd_pcm_oss_release_file(struct snd_pcm_oss_file *pcm_oss_file)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo acme@redhat.com
commit a8403912d04e2c8271653bb5b7f6294dc6d322ac upstream.
We've had this since 2013, document it.
Cc: Adrian Hunter adrian.hunter@intel.com Cc: Andi Kleen ak@linux.intel.com Cc: David Ahern dsahern@gmail.com Cc: Jin Yao yao.jin@linux.intel.com Cc: Jiri Olsa jolsa@kernel.org Cc: Namhyung Kim namhyung@kernel.org Cc: Wang Nan wangnan0@huawei.com Cc: Willy Tarreau w@1wt.eu Fixes: fc2be6968e99 ("perf symbols: Add new option --ignore-vmlinux for perf top") Link: https://lkml.kernel.org/n/tip-0jwfueooddwfsw9r603belxi@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo acme@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- tools/perf/Documentation/perf-top.txt | 3 +++ 1 file changed, 3 insertions(+)
--- a/tools/perf/Documentation/perf-top.txt +++ b/tools/perf/Documentation/perf-top.txt @@ -65,6 +65,9 @@ Default is to monitor all CPUS. --vmlinux=<path>:: Path to vmlinux. Required for annotation functionality.
+--ignore-vmlinux:: + Ignore vmlinux files. + -m <pages>:: --mmap-pages=<pages>:: Number of mmap data pages (must be a power of two) or size
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit c64ed5dd9feba193c76eb460b451225ac2a0d87b upstream.
Fix the last standing EINTR in the whole subsystem. Use more correct ERESTARTSYS for pending signals.
Signed-off-by: Takashi Iwai tiwai@suse.de [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/core/oss/pcm_oss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/core/oss/pcm_oss.c +++ b/sound/core/oss/pcm_oss.c @@ -852,7 +852,7 @@ static int snd_pcm_oss_change_params(str if (!(mutex_trylock(&runtime->oss.params_lock))) return -EAGAIN; } else if (mutex_lock_interruptible(&runtime->oss.params_lock)) - return -EINTR; + return -ERESTARTSYS; sw_params = kmalloc(sizeof(*sw_params), GFP_KERNEL); params = kmalloc(sizeof(*params), GFP_KERNEL); sparams = kmalloc(sizeof(*sparams), GFP_KERNEL);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eryu Guan guaneryu@gmail.com
commit 73fdad00b208b139cf43f3163fbc0f67e4c6047c upstream.
i_disksize update should be protected by i_data_sem, by either taking the lock explicitly or by using ext4_update_i_disksize() helper. But the i_disksize updates in ext4_direct_IO_write() are not protected at all, which may be racing with i_disksize updates in writeback path in delalloc buffer write path.
This is found by code inspection, and I didn't hit any i_disksize corruption due to this bug. Thanks to Jan Kara for catching this bug and suggesting the fix!
Reported-by: Jan Kara jack@suse.cz Suggested-by: Jan Kara jack@suse.cz Signed-off-by: Eryu Guan guaneryu@gmail.com Signed-off-by: Theodore Ts'o tytso@mit.edu [bwh: Backported to 3.16: The relevant code is in ext4_ind_direct_IO()] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/fs/ext4/indirect.c +++ b/fs/ext4/indirect.c @@ -649,7 +649,6 @@ ssize_t ext4_ind_direct_IO(int rw, struc { struct file *file = iocb->ki_filp; struct inode *inode = file->f_mapping->host; - struct ext4_inode_info *ei = EXT4_I(inode); handle_t *handle; ssize_t ret; int orphan = 0; @@ -672,7 +671,7 @@ ssize_t ext4_ind_direct_IO(int rw, struc goto out; } orphan = 1; - ei->i_disksize = inode->i_size; + ext4_update_i_disksize(inode, inode->i_size); ext4_journal_stop(handle); } } @@ -731,7 +730,7 @@ locked: if (ret > 0) { loff_t end = offset + ret; if (end > inode->i_size) { - ei->i_disksize = end; + ext4_update_i_disksize(inode, end); i_size_write(inode, end); /* * We're going to return a positive `ret'
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King colin.king@canonical.com
commit e1a7418529e33bc4efc346324557251a16a3e79b upstream.
Currently the allocation of priv->oldaddr is not null checked which will lead to subsequent errors when accessing priv->oldaddr. Fix this with a null pointer check and a return of -ENOMEM on allocation failure.
Detected with Coccinelle: drivers/staging/rtl8192u/r8192U_core.c:1708:2-15: alloc with no test, possible model on line 1723
Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") Signed-off-by: Colin Ian King colin.king@canonical.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/staging/rtl8192u/r8192U_core.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/drivers/staging/rtl8192u/r8192U_core.c +++ b/drivers/staging/rtl8192u/r8192U_core.c @@ -1893,6 +1893,8 @@ static short rtl8192_usb_initendpoints(s
priv->rx_urb[16] = usb_alloc_urb(0, GFP_KERNEL); priv->oldaddr = kmalloc(16, GFP_KERNEL); + if (!priv->oldaddr) + return -ENOMEM; oldaddr = priv->oldaddr; align = ((long)oldaddr) & 3; if (align) {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sean Young sean@mess.org
commit 8d4068810d9926250dd2435719a080b889eb44c3 upstream.
If there is IR in the raw kfifo when ir_raw_event_unregister() is called, then kthread_stop() causes ir_raw_event_thread to be scheduled, decode some scancodes and re-arm timer_keyup. The timer_keyup then fires when the rc device is long gone.
Signed-off-by: Sean Young sean@mess.org Signed-off-by: Mauro Carvalho Chehab mchehab@s-opensource.com [bwh: Backported to 3.16: - There's no timer_repeat to move - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/media/rc/rc-main.c +++ b/drivers/media/rc/rc-main.c @@ -1427,13 +1427,13 @@ void rc_unregister_device(struct rc_dev if (!dev) return;
- del_timer_sync(&dev->timer_keyup); - clear_bit(dev->devno, ir_core_dev_number);
if (dev->driver_type == RC_DRIVER_IR_RAW) ir_raw_event_unregister(dev);
+ del_timer_sync(&dev->timer_keyup); + /* Freeing the table should also call the stop callback */ ir_free_table(&dev->rc_map); IR_dprintk(1, "Freed keycode table\n");
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dennis Wassenberg dennis.wassenberg@secunet.com
commit b56af54ac78c54a519d82813836f305d7f76ef27 upstream.
Reset i8042 before probing because of insufficient BIOS initialisation of the i8042 serial controller. This makes Synaptics touchpad detection possible. Without resetting the Synaptics touchpad is not detected because there are always NACK messages from AUX port.
Signed-off-by: Dennis Wassenberg dennis.wassenberg@secunet.com Signed-off-by: Dmitry Torokhov dmitry.torokhov@gmail.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ 1 file changed, 7 insertions(+)
--- a/drivers/input/serio/i8042-x86ia64io.h +++ b/drivers/input/serio/i8042-x86ia64io.h @@ -595,6 +595,13 @@ static const struct dmi_system_id __init }, }, { + /* Lenovo ThinkPad L460 */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L460"), + }, + }, + { /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */ .matches = { DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Clemens Werther clemens.werther@gmail.com
commit 6555ad13a01952c16485c82a52ad1f3e07e34b3a upstream.
Add device id for Harman FirmwareHubEmulator to make the device auto-detectable by the driver.
Signed-off-by: Clemens Werther clemens.werther@gmail.com Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/serial/ftdi_sio.c | 1 + drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++ 2 files changed, 7 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c +++ b/drivers/usb/serial/ftdi_sio.c @@ -949,6 +949,7 @@ static const struct usb_device_id id_tab { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LS_LOGBOOK_PID) }, { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_HS_LOGBOOK_PID) }, { USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_FHE_PID) }, { USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) }, { USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID), .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, --- a/drivers/usb/serial/ftdi_sio_ids.h +++ b/drivers/usb/serial/ftdi_sio_ids.h @@ -1444,6 +1444,12 @@ #define FTDI_CINTERION_MC55I_PID 0xA951
/* + * Product: FirmwareHubEmulator + * Manufacturer: Harman Becker Automotive Systems + */ +#define FTDI_FHE_PID 0xA9A0 + +/* * Product: Comet Caller ID decoder * Manufacturer: Crucible Technologies */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov sergei.shtylyov@cogentembedded.com
commit 8525d04ba8a6a9ecfa4bd619c988ca873a5fc2a4 upstream.
According to the latest revision 2.00 of the R-Car Gen2 manual, the LVDS and the bias circuit must be enabled after the LVDS I/O pins are enabled, not before. Fix the Gen2 LVDS startup sequence accordingly.
While at it, also fix the comment preceding the first LVDCR0 write that still talks about hardcoding the LVDS mode 0.
Fixes: 90374b5c25c9 ("drm/rcar-du: Add internal LVDS encoder support") Signed-off-by: Sergei Shtylyov sergei.shtylyov@cogentembedded.com Reviewed-by: Laurent Pinchart laurent.pinchart+renesas@ideasonboard.com Tested-by: Laurent Pinchart laurent.pinchart+renesas@ideasonboard.com Signed-off-by: Laurent Pinchart laurent.pinchart+renesas@ideasonboard.com [bwh: Backported to 3.16: - Mode is always 0 - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c +++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c @@ -87,10 +87,8 @@ static int rcar_du_lvdsenc_start(struct
rcar_lvds_write(lvds, LVDCHCR, lvdhcr);
- /* Select the input, hardcode mode 0, enable LVDS operation and turn - * bias circuitry on. - */ - lvdcr0 = LVDCR0_BEN | LVDCR0_LVEN; + /* Select the input and set the LVDS mode. */ + lvdcr0 = 0; if (rcrtc->index == 2) lvdcr0 |= LVDCR0_DUSEL; rcar_lvds_write(lvds, LVDCR0, lvdcr0); @@ -99,6 +97,10 @@ static int rcar_du_lvdsenc_start(struct rcar_lvds_write(lvds, LVDCR1, LVDCR1_CHSTBY(3) | LVDCR1_CHSTBY(2) | LVDCR1_CHSTBY(1) | LVDCR1_CHSTBY(0) | LVDCR1_CLKSTBY);
+ /* Enable LVDS operation and turn bias circuitry on. */ + lvdcr0 |= LVDCR0_BEN | LVDCR0_LVEN; + rcar_lvds_write(lvds, LVDCR0, lvdcr0); + /* Turn the PLL on, wait for the startup delay, and turn the output * on. */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Ferre nicolas.ferre@microchip.com
commit e8fd0adf105e132fd84545997bbef3d5edc2c9c1 upstream.
There are only 19 PIOB pins having primary names PB0-PB18. Not all of them have a 'C' function. So the pinctrl property mask ends up being the same as the other SoC of the at91sam9x5 series.
Reported-by: Marek Sieranski marek.sieranski@microchip.com Signed-off-by: Nicolas Ferre nicolas.ferre@microchip.com Signed-off-by: Alexandre Belloni alexandre.belloni@bootlin.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm/boot/dts/at91sam9g25.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/dts/at91sam9g25.dtsi +++ b/arch/arm/boot/dts/at91sam9g25.dtsi @@ -20,7 +20,7 @@ atmel,mux-mask = < /* A B C */ 0xffffffff 0xffe0399f 0xc000001c /* pioA */ - 0x0007ffff 0x8000fe3f 0x00000000 /* pioB */ + 0x0007ffff 0x00047e3f 0x00000000 /* pioB */ 0x80000000 0x07c0ffff 0xb83fffff /* pioC */ 0x003fffff 0x003f8000 0x00000000 /* pioD */ >;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Charles Keepax ckeepax@opensource.cirrus.com
commit b8f9a03b741ddfdde4aa8b607fa7d88eb63a6338 upstream.
The current implementation is broken for regmaps that have a reg_stride, since it doesn't take the stride into account. Correct this by using the helper function to calculate the register offset.
Fixes: f01ee60fffa4 ("regmap: implement register striding") Signed-off-by: Charles Keepax ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown broonie@kernel.org [bwh: Backported to 3.16: Use simple multiplication instead of regmap_get_offset()] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/base/regmap/regmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/base/regmap/regmap.c +++ b/drivers/base/regmap/regmap.c @@ -144,7 +144,7 @@ static bool regmap_volatile_range(struct unsigned int i;
for (i = 0; i < num; i++) - if (!regmap_volatile(map, reg + i)) + if (!regmap_volatile(map, reg + (i * map->reg_stride))) return false;
return true;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Ma aaron.ma@canonical.com
commit ac75a041048b8c1f7418e27621ca5efda8571043 upstream.
When convert char array with signed int, if the inbuf[x] is negative then upper bits will be set to 1. Fix this by using u8 instead of char.
ret_size has to be at least 3, hid_input_report use it after minus 2 bytes.
Signed-off-by: Aaron Ma aaron.ma@canonical.com Signed-off-by: Jiri Kosina jkosina@suse.cz Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hid/i2c-hid/i2c-hid.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/hid/i2c-hid/i2c-hid.c +++ b/drivers/hid/i2c-hid/i2c-hid.c @@ -136,10 +136,10 @@ struct i2c_hid { * register of the HID * descriptor. */ unsigned int bufsize; /* i2c buffer size */ - char *inbuf; /* Input buffer */ - char *rawbuf; /* Raw Input buffer */ - char *cmdbuf; /* Command buffer */ - char *argsbuf; /* Command arguments buffer */ + u8 *inbuf; /* Input buffer */ + u8 *rawbuf; /* Raw Input buffer */ + u8 *cmdbuf; /* Command buffer */ + u8 *argsbuf; /* Command arguments buffer */
unsigned long flags; /* device flags */
@@ -373,7 +373,8 @@ static int i2c_hid_hwreset(struct i2c_cl
static void i2c_hid_get_input(struct i2c_hid *ihid) { - int ret, ret_size; + int ret; + u32 ret_size; int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
if (size > ihid->bufsize) @@ -398,7 +399,7 @@ static void i2c_hid_get_input(struct i2c return; }
- if (ret_size > size) { + if ((ret_size > size) || (ret_size <= 2)) { dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n", __func__, size, ret_size); return;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mike Frysinger vapier@chromium.org
commit 65d9982d7e523a1a8e7c9af012da0d166f72fc56 upstream.
ECMA-48 [1] (aka ISO 6429) has defined SGR 21 as "doubly underlined" since at least March 1984. The Linux kernel has treated it as SGR 22 "normal intensity" since it was added in Linux-0.96b in June 1992. Before that, it was simply ignored. Other terminal emulators have either ignored it, or treat it as double underline now. xterm for example added support in its 304 release (May 2014) [2] where it was previously ignoring it.
Changing this behavior shouldn't be an issue: - It isn't a named capability in ncurses's terminfo database, so no script is using libtinfo/libcurses to look this up, or using tput to query & output the right sequence. - Any script assuming SGR 21 will reset intensity in all terminals already do not work correctly on non-Linux VTs (including running under screen/tmux/etc...). - If someone has written a script that only runs in the Linux VT, and they're using SGR 21 (instead of SGR 22), the output should still be readable.
imo it's important to change this as the Linux VT's non-conformance is sometimes used as an argument for other terminal emulators to not implement SGR 21 at all, or do so incorrectly.
[1]: https://www.ecma-international.org/publications/standards/Ecma-048.htm [2]: https://github.com/ThomasDickey/xterm-snapshots/commit/2fd29cb98d214cb536bca...
Signed-off-by: Mike Frysinger vapier@chromium.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: adjust indentation] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/vt/vt.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -1303,6 +1303,11 @@ static void csi_m(struct vc_data *vc) case 3: vc->vc_italic = 1; break; + case 21: + /* + * No console drivers support double underline, so + * convert it to a single underline. + */ case 4: vc->vc_underline = 1; break; @@ -1339,7 +1344,6 @@ static void csi_m(struct vc_data *vc) vc->vc_disp_ctrl = 1; vc->vc_toggle_meta = 1; break; - case 21: case 22: vc->vc_intensity = 1; break;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 02a5d6925cd34c3b774bdb8eefb057c40a30e870 upstream.
Although we apply the params_lock mutex to the whole read and write operations as well as snd_pcm_oss_change_params(), we may still face some races.
First off, the params_lock is taken inside the read and write loop. This is intentional for avoiding the too long locking, but it allows the in-between parameter change, which might lead to invalid pointers. We check the readiness of the stream and set up via snd_pcm_oss_make_ready() at the beginning of read and write, but it's called only once, by assuming that it remains ready in the rest.
Second, many ioctls that may change the actual parameters (i.e. setting runtime->oss.params=1) aren't protected, hence they can be processed in a half-baked state.
This patch is an attempt to plug these holes. The stream readiness check is moved inside the read/write inner loop, so that the stream is always set up in a proper state before further processing. Also, each ioctl that may change the parameter is wrapped with the params_lock for avoiding the races.
The issues were triggered by syzkaller in a few different scenarios, particularly the one below appearing as GPF in loopback_pos_update.
Reported-by: syzbot+c4227aec125487ec3efa@syzkaller.appspotmail.com Signed-off-by: Takashi Iwai tiwai@suse.de [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/core/oss/pcm_oss.c | 134 +++++++++++++++++++++++++++++++-------- 1 file changed, 106 insertions(+), 28 deletions(-)
--- a/sound/core/oss/pcm_oss.c +++ b/sound/core/oss/pcm_oss.c @@ -833,8 +833,8 @@ static int choose_rate(struct snd_pcm_su return snd_pcm_hw_param_near(substream, params, SNDRV_PCM_HW_PARAM_RATE, best_rate, NULL); }
-static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream, - bool trylock) +/* call with params_lock held */ +static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream) { struct snd_pcm_runtime *runtime = substream->runtime; struct snd_pcm_hw_params *params, *sparams; @@ -848,11 +848,8 @@ static int snd_pcm_oss_change_params(str struct snd_mask sformat_mask; struct snd_mask mask;
- if (trylock) { - if (!(mutex_trylock(&runtime->oss.params_lock))) - return -EAGAIN; - } else if (mutex_lock_interruptible(&runtime->oss.params_lock)) - return -ERESTARTSYS; + if (!runtime->oss.params) + return 0; sw_params = kmalloc(sizeof(*sw_params), GFP_KERNEL); params = kmalloc(sizeof(*params), GFP_KERNEL); sparams = kmalloc(sizeof(*sparams), GFP_KERNEL); @@ -1080,6 +1077,23 @@ failure: kfree(sw_params); kfree(params); kfree(sparams); + return err; +} + +/* this one takes the lock by itself */ +static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream, + bool trylock) +{ + struct snd_pcm_runtime *runtime = substream->runtime; + int err; + + if (trylock) { + if (!(mutex_trylock(&runtime->oss.params_lock))) + return -EAGAIN; + } else if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; + + err = snd_pcm_oss_change_params_locked(substream); mutex_unlock(&runtime->oss.params_lock); return err; } @@ -1108,11 +1122,14 @@ static int snd_pcm_oss_get_active_substr return 0; }
+/* call with params_lock held */ static int snd_pcm_oss_prepare(struct snd_pcm_substream *substream) { int err; struct snd_pcm_runtime *runtime = substream->runtime;
+ if (!runtime->oss.prepare) + return 0; err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_PREPARE, NULL); if (err < 0) { pcm_dbg(substream->pcm, @@ -1132,8 +1149,6 @@ static int snd_pcm_oss_make_ready(struct struct snd_pcm_runtime *runtime; int err;
- if (substream == NULL) - return 0; runtime = substream->runtime; if (runtime->oss.params) { err = snd_pcm_oss_change_params(substream, false); @@ -1141,6 +1156,29 @@ static int snd_pcm_oss_make_ready(struct return err; } if (runtime->oss.prepare) { + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; + err = snd_pcm_oss_prepare(substream); + mutex_unlock(&runtime->oss.params_lock); + if (err < 0) + return err; + } + return 0; +} + +/* call with params_lock held */ +static int snd_pcm_oss_make_ready_locked(struct snd_pcm_substream *substream) +{ + struct snd_pcm_runtime *runtime; + int err; + + runtime = substream->runtime; + if (runtime->oss.params) { + err = snd_pcm_oss_change_params_locked(substream); + if (err < 0) + return err; + } + if (runtime->oss.prepare) { err = snd_pcm_oss_prepare(substream); if (err < 0) return err; @@ -1368,13 +1406,14 @@ static ssize_t snd_pcm_oss_write1(struct if (atomic_read(&substream->mmap_count)) return -ENXIO;
- if ((tmp = snd_pcm_oss_make_ready(substream)) < 0) - return tmp; while (bytes > 0) { if (mutex_lock_interruptible(&runtime->oss.params_lock)) { tmp = -ERESTARTSYS; break; } + tmp = snd_pcm_oss_make_ready_locked(substream); + if (tmp < 0) + goto err; if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) { tmp = bytes; if (tmp + runtime->oss.buffer_used > runtime->oss.period_bytes) @@ -1475,13 +1514,14 @@ static ssize_t snd_pcm_oss_read1(struct if (atomic_read(&substream->mmap_count)) return -ENXIO;
- if ((tmp = snd_pcm_oss_make_ready(substream)) < 0) - return tmp; while (bytes > 0) { if (mutex_lock_interruptible(&runtime->oss.params_lock)) { tmp = -ERESTARTSYS; break; } + tmp = snd_pcm_oss_make_ready_locked(substream); + if (tmp < 0) + goto err; if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) { if (runtime->oss.buffer_used == 0) { tmp = snd_pcm_oss_read2(substream, runtime->oss.buffer, runtime->oss.period_bytes, 1); @@ -1537,10 +1577,12 @@ static int snd_pcm_oss_reset(struct snd_ continue; runtime = substream->runtime; snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); + mutex_lock(&runtime->oss.params_lock); runtime->oss.prepare = 1; runtime->oss.buffer_used = 0; runtime->oss.prev_hw_ptr_period = 0; runtime->oss.period_ptr = 0; + mutex_unlock(&runtime->oss.params_lock); } return 0; } @@ -1626,9 +1668,10 @@ static int snd_pcm_oss_sync(struct snd_p goto __direct; if ((err = snd_pcm_oss_make_ready(substream)) < 0) return err; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; format = snd_pcm_oss_format_from(runtime->oss.format); width = snd_pcm_format_physical_width(format); - mutex_lock(&runtime->oss.params_lock); if (runtime->oss.buffer_used > 0) { #ifdef OSS_DEBUG pcm_dbg(substream->pcm, "sync: buffer_used\n"); @@ -1696,7 +1739,9 @@ static int snd_pcm_oss_sync(struct snd_p substream->f_flags = saved_f_flags; if (err < 0) return err; + mutex_lock(&runtime->oss.params_lock); runtime->oss.prepare = 1; + mutex_unlock(&runtime->oss.params_lock); }
substream = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE]; @@ -1707,8 +1752,10 @@ static int snd_pcm_oss_sync(struct snd_p err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); if (err < 0) return err; + mutex_lock(&runtime->oss.params_lock); runtime->oss.buffer_used = 0; runtime->oss.prepare = 1; + mutex_unlock(&runtime->oss.params_lock); } return 0; } @@ -1727,10 +1774,13 @@ static int snd_pcm_oss_set_rate(struct s rate = 1000; else if (rate > 192000) rate = 192000; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; if (runtime->oss.rate != rate) { runtime->oss.params = 1; runtime->oss.rate = rate; } + mutex_unlock(&runtime->oss.params_lock); } return snd_pcm_oss_get_rate(pcm_oss_file); } @@ -1758,10 +1808,13 @@ static int snd_pcm_oss_set_channels(stru if (substream == NULL) continue; runtime = substream->runtime; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; if (runtime->oss.channels != channels) { runtime->oss.params = 1; runtime->oss.channels = channels; } + mutex_unlock(&runtime->oss.params_lock); } return snd_pcm_oss_get_channels(pcm_oss_file); } @@ -1845,10 +1898,13 @@ static int snd_pcm_oss_set_format(struct if (substream == NULL) continue; runtime = substream->runtime; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; if (runtime->oss.format != format) { runtime->oss.params = 1; runtime->oss.format = format; } + mutex_unlock(&runtime->oss.params_lock); } } return snd_pcm_oss_get_format(pcm_oss_file); @@ -1868,8 +1924,6 @@ static int snd_pcm_oss_set_subdivide1(st { struct snd_pcm_runtime *runtime;
- if (substream == NULL) - return 0; runtime = substream->runtime; if (subdivide == 0) { subdivide = runtime->oss.subdivision; @@ -1893,9 +1947,16 @@ static int snd_pcm_oss_set_subdivide(str
for (idx = 1; idx >= 0; --idx) { struct snd_pcm_substream *substream = pcm_oss_file->streams[idx]; + struct snd_pcm_runtime *runtime; + if (substream == NULL) continue; - if ((err = snd_pcm_oss_set_subdivide1(substream, subdivide)) < 0) + runtime = substream->runtime; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; + err = snd_pcm_oss_set_subdivide1(substream, subdivide); + mutex_unlock(&runtime->oss.params_lock); + if (err < 0) return err; } return err; @@ -1905,8 +1966,6 @@ static int snd_pcm_oss_set_fragment1(str { struct snd_pcm_runtime *runtime;
- if (substream == NULL) - return 0; runtime = substream->runtime; if (runtime->oss.subdivision || runtime->oss.fragshift) return -EINVAL; @@ -1926,9 +1985,16 @@ static int snd_pcm_oss_set_fragment(stru
for (idx = 1; idx >= 0; --idx) { struct snd_pcm_substream *substream = pcm_oss_file->streams[idx]; + struct snd_pcm_runtime *runtime; + if (substream == NULL) continue; - if ((err = snd_pcm_oss_set_fragment1(substream, val)) < 0) + runtime = substream->runtime; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; + err = snd_pcm_oss_set_fragment1(substream, val); + mutex_unlock(&runtime->oss.params_lock); + if (err < 0) return err; } return err; @@ -2012,6 +2078,9 @@ static int snd_pcm_oss_set_trigger(struc } if (psubstream) { runtime = psubstream->runtime; + cmd = 0; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; if (trigger & PCM_ENABLE_OUTPUT) { if (runtime->oss.trigger) goto _skip1; @@ -2029,13 +2098,19 @@ static int snd_pcm_oss_set_trigger(struc cmd = SNDRV_PCM_IOCTL_DROP; runtime->oss.prepare = 1; } - err = snd_pcm_kernel_ioctl(psubstream, cmd, NULL); - if (err < 0) - return err; - } _skip1: + mutex_unlock(&runtime->oss.params_lock); + if (cmd) { + err = snd_pcm_kernel_ioctl(psubstream, cmd, NULL); + if (err < 0) + return err; + } + } if (csubstream) { runtime = csubstream->runtime; + cmd = 0; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; if (trigger & PCM_ENABLE_INPUT) { if (runtime->oss.trigger) goto _skip2; @@ -2050,11 +2125,14 @@ static int snd_pcm_oss_set_trigger(struc cmd = SNDRV_PCM_IOCTL_DROP; runtime->oss.prepare = 1; } - err = snd_pcm_kernel_ioctl(csubstream, cmd, NULL); - if (err < 0) - return err; - } _skip2: + mutex_unlock(&runtime->oss.params_lock); + if (cmd) { + err = snd_pcm_kernel_ioctl(csubstream, cmd, NULL); + if (err < 0) + return err; + } + } return 0; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o tytso@mit.edu
commit 044e6e3d74a3d7103a0c8a9305dfd94d64000660 upstream.
When reading the inode or block allocation bitmap, if the bitmap needs to be initialized, do not update the checksum in the block group descriptor. That's because we're not set up to journal those changes. Instead, just set the verified bit on the bitmap block, so that it's not necessary to validate the checksum.
When a block or inode allocation actually happens, at that point the checksum will be calculated, and update of the bg descriptor block will be properly journalled.
Signed-off-by: Theodore Ts'o tytso@mit.edu [bwh: Backported to 3.16: - Deleted code is slightly different - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/ext4/balloc.c | 3 +-- fs/ext4/ialloc.c | 47 +++-------------------------------------------- 2 files changed, 4 insertions(+), 46 deletions(-)
--- a/fs/ext4/balloc.c +++ b/fs/ext4/balloc.c @@ -239,8 +239,6 @@ static int ext4_init_block_bitmap(struct */ ext4_mark_bitmap_end(num_clusters_in_group(sb, block_group), sb->s_blocksize * 8, bh->b_data); - ext4_block_bitmap_csum_set(sb, block_group, gdp, bh); - ext4_group_desc_csum_set(sb, block_group, gdp); return 0; }
@@ -464,6 +462,7 @@ ext4_read_block_bitmap_nowait(struct sup err = ext4_init_block_bitmap(sb, bh, block_group, desc); set_bitmap_uptodate(bh); set_buffer_uptodate(bh); + set_buffer_verified(bh); ext4_unlock_group(sb, block_group); unlock_buffer(bh); if (err) --- a/fs/ext4/ialloc.c +++ b/fs/ext4/ialloc.c @@ -64,45 +64,6 @@ void ext4_mark_bitmap_end(int start_bit, memset(bitmap + (i >> 3), 0xff, (end_bit - i) >> 3); }
-/* Initializes an uninitialized inode bitmap */ -static unsigned ext4_init_inode_bitmap(struct super_block *sb, - struct buffer_head *bh, - ext4_group_t block_group, - struct ext4_group_desc *gdp) -{ - struct ext4_group_info *grp; - struct ext4_sb_info *sbi = EXT4_SB(sb); - J_ASSERT_BH(bh, buffer_locked(bh)); - - /* If checksum is bad mark all blocks and inodes use to prevent - * allocation, essentially implementing a per-group read-only flag. */ - if (!ext4_group_desc_csum_verify(sb, block_group, gdp)) { - ext4_error(sb, "Checksum bad for group %u", block_group); - grp = ext4_get_group_info(sb, block_group); - if (!EXT4_MB_GRP_BBITMAP_CORRUPT(grp)) - percpu_counter_sub(&sbi->s_freeclusters_counter, - grp->bb_free); - set_bit(EXT4_GROUP_INFO_BBITMAP_CORRUPT_BIT, &grp->bb_state); - if (!EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) { - int count; - count = ext4_free_inodes_count(sb, gdp); - percpu_counter_sub(&sbi->s_freeinodes_counter, - count); - } - set_bit(EXT4_GROUP_INFO_IBITMAP_CORRUPT_BIT, &grp->bb_state); - return 0; - } - - memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8); - ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), sb->s_blocksize * 8, - bh->b_data); - ext4_inode_bitmap_csum_set(sb, block_group, gdp, bh, - EXT4_INODES_PER_GROUP(sb) / 8); - ext4_group_desc_csum_set(sb, block_group, gdp); - - return EXT4_INODES_PER_GROUP(sb); -} - void ext4_end_bitmap_read(struct buffer_head *bh, int uptodate) { if (uptodate) { @@ -166,7 +127,9 @@ ext4_read_inode_bitmap(struct super_bloc put_bh(bh); return NULL; } - ext4_init_inode_bitmap(sb, bh, block_group, desc); + memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8); + ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), + sb->s_blocksize * 8, bh->b_data); set_bitmap_uptodate(bh); set_buffer_uptodate(bh); set_buffer_verified(bh);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown broonie@kernel.org
commit d5b98eb12420ce856caaf57dc5256eedc56a3747 upstream.
When doing a bulk read from a device which lacks raw I/O support we fall back to doing register at a time reads but we still use the raw formatters in order to render the data into the word size used by the device (since bulk reads still operate on the device word size rather than unsigned ints). This means that devices without raw formatting such as those that provide reg_read() are not supported. Provide handling for them by copying the values read into native endian values of the appropriate size.
Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/base/regmap/regmap.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-)
--- a/drivers/base/regmap/regmap.c +++ b/drivers/base/regmap/regmap.c @@ -2246,7 +2246,34 @@ int regmap_bulk_read(struct regmap *map, &ival); if (ret != 0) return ret; - map->format.format_val(val + (i * val_bytes), ival, 0); + + if (map->format.format_val) { + map->format.format_val(val + (i * val_bytes), ival, 0); + } else { + /* Devices providing read and write + * operations can use the bulk I/O + * functions if they define a val_bytes, + * we assume that the values are native + * endian. + */ + u32 *u32 = val; + u16 *u16 = val; + u8 *u8 = val; + + switch (map->format.val_bytes) { + case 4: + u32[i] = ival; + break; + case 2: + u16[i] = ival; + break; + case 1: + u8[i] = ival; + break; + default: + return -EINVAL; + } + } } }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann jwi@linux.vnet.ibm.com
commit dae55b6fef58530c13df074bcc182c096609339e upstream.
Immediate retry of EQBS after CCQ 96 means that we potentially misreport the state of buffers inspected during the first EQBS call.
This occurs when 1. the first EQBS finds all inspected buffers still in the initial state set by the driver (ie INPUT EMPTY or OUTPUT PRIMED), 2. the EQBS terminates early with CCQ 96, and 3. by the time that the second EQBS comes around, the state of those previously inspected buffers has changed.
If the state reported by the second EQBS is 'driver-owned', all we know is that the previous buffers are driver-owned now as well. But we can't tell if they all have the same state. So for instance - the second EQBS reports OUTPUT EMPTY, but any number of the previous buffers could be OUTPUT ERROR by now, - the second EQBS reports OUTPUT ERROR, but any number of the previous buffers could be OUTPUT EMPTY by now.
Effectively, this can result in both over- and underreporting of errors.
If the state reported by the second EQBS is 'HW-owned', that doesn't guarantee that the previous buffers have not been switched to driver-owned in the mean time. So for instance - the second EQBS reports INPUT EMPTY, but any number of the previous buffers could be INPUT PRIMED (or INPUT ERROR) by now.
This would result in failure to process pending work on the queue. If it's the final check before yielding initiative, this can cause a (temporary) queue stall due to IRQ avoidance.
Fixes: 25f269f17316 ("[S390] qdio: EQBS retry after CCQ 96") Signed-off-by: Julian Wiedmann jwi@linux.vnet.ibm.com Reviewed-by: Benjamin Block bblock@linux.vnet.ibm.com Signed-off-by: Martin Schwidefsky schwidefsky@de.ibm.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/s390/cio/qdio_main.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-)
--- a/drivers/s390/cio/qdio_main.c +++ b/drivers/s390/cio/qdio_main.c @@ -126,7 +126,7 @@ static inline int qdio_check_ccq(struct static int qdio_do_eqbs(struct qdio_q *q, unsigned char *state, int start, int count, int auto_ack) { - int rc, tmp_count = count, tmp_start = start, nr = q->nr, retried = 0; + int rc, tmp_count = count, tmp_start = start, nr = q->nr; unsigned int ccq = 0;
qperf_inc(q, eqbs); @@ -149,14 +149,7 @@ again: qperf_inc(q, eqbs_partial); DBF_DEV_EVENT(DBF_WARN, q->irq_ptr, "EQBS part:%02x", tmp_count); - /* - * Retry once, if that fails bail out and process the - * extracted buffers before trying again. - */ - if (!retried++) - goto again; - else - return count - tmp_count; + return count - tmp_count; }
DBF_ERROR("%4x EQBS ERROR", SCH_NO(q));
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Francisco Jerez currojerez@riseup.net
commit 6a65c5b9326c9dd391afb1b3df75cbedffbaccdb upstream.
Until now the software command checker assumed that commands could read or write at most a single register per packet. This is not necessarily the case, MI_LOAD_REGISTER_IMM expects a variable-length list of offset/value pairs and writes them in sequence. The previous code would only check whether the first entry was valid, effectively allowing userspace to write unrestricted registers of the MMIO space by sending a multi-register write with a legal first register, with potential security implications on Gen6 and 7 hardware.
Fix it by extending the drm_i915_cmd_descriptor table to represent multi-register access and making validate_cmd() iterate for all register offsets present in the command packet.
Signed-off-by: Francisco Jerez currojerez@riseup.net Reviewed-by: Zhigang Gong zhigang.gong@linux.intel.com Signed-off-by: Daniel Vetter daniel.vetter@ffwll.ch Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/i915/i915_cmd_parser.c | 74 +++++++++++++++----------- drivers/gpu/drm/i915/i915_drv.h | 5 ++ 2 files changed, 48 insertions(+), 31 deletions(-)
--- a/drivers/gpu/drm/i915/i915_cmd_parser.c +++ b/drivers/gpu/drm/i915/i915_cmd_parser.c @@ -123,7 +123,7 @@ static const struct drm_i915_cmd_descrip CMD( MI_SEMAPHORE_MBOX, SMI, !F, 0xFF, R ), CMD( MI_STORE_DWORD_INDEX, SMI, !F, 0xFF, R ), CMD( MI_LOAD_REGISTER_IMM(1), SMI, !F, 0xFF, W, - .reg = { .offset = 1, .mask = 0x007FFFFC } ), + .reg = { .offset = 1, .mask = 0x007FFFFC, .step = 2 } ), CMD( MI_STORE_REGISTER_MEM(1), SMI, !F, 0xFF, W | B, .reg = { .offset = 1, .mask = 0x007FFFFC }, .bits = {{ @@ -859,7 +859,7 @@ bool i915_needs_cmd_parser(struct intel_
static bool check_cmd(const struct intel_engine_cs *ring, const struct drm_i915_cmd_descriptor *desc, - const u32 *cmd, + const u32 *cmd, u32 length, const bool is_master, bool *oacontrol_set) { @@ -875,38 +875,49 @@ static bool check_cmd(const struct intel }
if (desc->flags & CMD_DESC_REGISTER) { - u32 reg_addr = cmd[desc->reg.offset] & desc->reg.mask; - /* - * OACONTROL requires some special handling for writes. We - * want to make sure that any batch which enables OA also - * disables it before the end of the batch. The goal is to - * prevent one process from snooping on the perf data from - * another process. To do that, we need to check the value - * that will be written to the register. Hence, limit - * OACONTROL writes to only MI_LOAD_REGISTER_IMM commands. + * Get the distance between individual register offset + * fields if the command can perform more than one + * access at a time. */ - if (reg_addr == OACONTROL) { - if (desc->cmd.value == MI_LOAD_REGISTER_MEM) { - DRM_DEBUG_DRIVER("CMD: Rejected LRM to OACONTROL\n"); - return false; - } + const u32 step = desc->reg.step ? desc->reg.step : length; + u32 offset;
- if (desc->cmd.value == MI_LOAD_REGISTER_IMM(1)) - *oacontrol_set = (cmd[2] != 0); - } + for (offset = desc->reg.offset; offset < length; + offset += step) { + const u32 reg_addr = cmd[offset] & desc->reg.mask; + + /* + * OACONTROL requires some special handling for + * writes. We want to make sure that any batch which + * enables OA also disables it before the end of the + * batch. The goal is to prevent one process from + * snooping on the perf data from another process. To do + * that, we need to check the value that will be written + * to the register. Hence, limit OACONTROL writes to + * only MI_LOAD_REGISTER_IMM commands. + */ + if (reg_addr == OACONTROL) { + if (desc->cmd.value == MI_LOAD_REGISTER_MEM) { + DRM_DEBUG_DRIVER("CMD: Rejected LRM to OACONTROL\n"); + return false; + }
- if (!valid_reg(ring->reg_table, - ring->reg_count, reg_addr)) { - if (!is_master || - !valid_reg(ring->master_reg_table, - ring->master_reg_count, - reg_addr)) { - DRM_DEBUG_DRIVER("CMD: Rejected register 0x%08X in command: 0x%08X (ring=%d)\n", - reg_addr, - *cmd, - ring->id); - return false; + if (desc->cmd.value == MI_LOAD_REGISTER_IMM(1)) + *oacontrol_set = (cmd[offset + 1] != 0); + } + + if (!valid_reg(ring->reg_table, + ring->reg_count, reg_addr)) { + if (!is_master || + !valid_reg(ring->master_reg_table, + ring->master_reg_count, + reg_addr)) { + DRM_DEBUG_DRIVER("CMD: Rejected register 0x%08X in command: 0x%08X (ring=%d)\n", + reg_addr, *cmd, + ring->id); + return false; + } } } } @@ -1020,7 +1031,8 @@ int i915_parse_cmds(struct intel_engine_ break; }
- if (!check_cmd(ring, desc, cmd, is_master, &oacontrol_set)) { + if (!check_cmd(ring, desc, cmd, length, is_master, + &oacontrol_set)) { ret = -EINVAL; break; } --- a/drivers/gpu/drm/i915/i915_drv.h +++ b/drivers/gpu/drm/i915/i915_drv.h @@ -1828,10 +1828,15 @@ struct drm_i915_cmd_descriptor { * Describes where to find a register address in the command to check * against the ring's register whitelist. Only valid if flags has the * CMD_DESC_REGISTER bit set. + * + * A non-zero step value implies that the command may access multiple + * registers in sequence (e.g. LRI), in that case step gives the + * distance in dwords between individual offset fields. */ struct { u32 offset; u32 mask; + u32 step; } reg;
#define MAX_CMD_DESC_BITMASKS 3
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Mazur krzysiek@podlesie.net
commit 4d1a535b8ec5e74b42dfd9dc809142653b2597f6 upstream.
glibc 2.26 removed the 'struct ucontext' to "improve" POSIX compliance and break programs, including User Mode Linux. Fix User Mode Linux by using POSIX ucontext_t.
This fixes:
arch/um/os-Linux/signal.c: In function 'hard_handler': arch/um/os-Linux/signal.c:163:22: error: dereferencing pointer to incomplete type 'struct ucontext' mcontext_t *mc = &uc->uc_mcontext; arch/x86/um/stub_segv.c: In function 'stub_segv_handler': arch/x86/um/stub_segv.c:16:13: error: dereferencing pointer to incomplete type 'struct ucontext' &uc->uc_mcontext);
Signed-off-by: Krzysztof Mazur krzysiek@podlesie.net Signed-off-by: Richard Weinberger richard@nod.at Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/um/os-Linux/signal.c | 2 +- arch/x86/um/stub_segv.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
--- a/arch/um/os-Linux/signal.c +++ b/arch/um/os-Linux/signal.c @@ -135,7 +135,7 @@ static void (*handlers[_NSIG])(int sig,
static void hard_handler(int sig, siginfo_t *si, void *p) { - struct ucontext *uc = p; + ucontext_t *uc = p; mcontext_t *mc = &uc->uc_mcontext; unsigned long pending = 1UL << sig;
--- a/arch/x86/um/stub_segv.c +++ b/arch/x86/um/stub_segv.c @@ -10,7 +10,7 @@ void __attribute__ ((__section__ (".__syscall_stub"))) stub_segv_handler(int sig, siginfo_t *info, void *p) { - struct ucontext *uc = p; + ucontext_t *uc = p;
GET_FAULTINFO_FROM_MC(*((struct faultinfo *) STUB_DATA), &uc->uc_mcontext);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck linux@roeck-us.net
commit ecb29abd4cb0670c616fb563a078f25d777ce530 upstream.
A negative page register value means that no page needs to be selected. This is used by status register read operations and needs to be accepted. The failure to do so so results in missed status and limit registers.
Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver") Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hwmon/pmbus/adm1275.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/hwmon/pmbus/adm1275.c +++ b/drivers/hwmon/pmbus/adm1275.c @@ -67,7 +67,7 @@ static int adm1275_read_word_data(struct const struct adm1275_data *data = to_adm1275_data(info); int ret = 0;
- if (page) + if (page > 0) return -ENXIO;
switch (reg) { @@ -144,7 +144,7 @@ static int adm1275_write_word_data(struc { int ret;
- if (page) + if (page > 0) return -ENXIO;
switch (reg) {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Kelly jamespeterkelly@gmail.com
commit a01df75ce737951ad13a08d101306e88c3f57cb2 upstream.
SSM2602 driver is broken on recent kernels (at least since 4.9). User space applications such as amixer or alsamixer get EIO when attempting to access codec controls via the relevant IOCTLs.
Root cause of these failures is the regcache_hw_init function in drivers/base/regmap/regcache.c, which prevents regmap cache initalization from the reg_defaults_raw element of the regmap_config structure when registers are write only. It also disables the regmap cache entirely when all registers are write only or volatile as is the case for the SSM2602 driver.
Using the reg_defaults element of the regmap_config structure rather than the reg_defaults_raw element to initalize the regmap cache avoids the logic in the regcache_hw_init function entirely. It also makes this driver consistent with other ASoC codec drivers, as this driver was the ONLY codec driver that used the reg_defaults_raw element to initalize the cache.
Tested on Digilent Zybo Z7 development board which has a SSM2603 codec chip connected to a Xilinx Zynq SoC.
Signed-off-by: James Kelly jamespeterkelly@gmail.com Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/soc/codecs/ssm2602.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-)
--- a/sound/soc/codecs/ssm2602.c +++ b/sound/soc/codecs/ssm2602.c @@ -54,10 +54,17 @@ struct ssm2602_priv { * using 2 wire for device control, so we cache them instead. * There is no point in caching the reset register */ -static const u16 ssm2602_reg[SSM2602_CACHEREGNUM] = { - 0x0097, 0x0097, 0x0079, 0x0079, - 0x000a, 0x0008, 0x009f, 0x000a, - 0x0000, 0x0000 +static const struct reg_default ssm2602_reg[SSM2602_CACHEREGNUM] = { + { .reg = 0x00, .def = 0x0097 }, + { .reg = 0x01, .def = 0x0097 }, + { .reg = 0x02, .def = 0x0079 }, + { .reg = 0x03, .def = 0x0079 }, + { .reg = 0x04, .def = 0x000a }, + { .reg = 0x05, .def = 0x0008 }, + { .reg = 0x06, .def = 0x009f }, + { .reg = 0x07, .def = 0x000a }, + { .reg = 0x08, .def = 0x0000 }, + { .reg = 0x09, .def = 0x0000 } };
@@ -629,8 +636,8 @@ const struct regmap_config ssm2602_regma .volatile_reg = ssm2602_register_volatile,
.cache_type = REGCACHE_RBTREE, - .reg_defaults_raw = ssm2602_reg, - .num_reg_defaults_raw = ARRAY_SIZE(ssm2602_reg), + .reg_defaults = ssm2602_reg, + .num_reg_defaults = ARRAY_SIZE(ssm2602_reg), }; EXPORT_SYMBOL_GPL(ssm2602_regmap_config);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Brüns stefan.bruens@rwth-aachen.de
commit cfb926e148e99acc02351d72e8b85e32b5f786ef upstream.
The ACK/NACK implementation as found in e.g. the G965 has the falling clock edge and the release of the data line after the ACK for the received byte happen at the same time.
This is conformant with the I2C specification, which allows a zero hold time, see footnote [3]: "A device must internally provide a hold time of at least 300 ns for the SDA signal (with respect to the V IH(min) of the SCL signal) to bridge the undefined region of the falling edge of SCL."
Some HDMI-to-VGA converters apparently fail to adhere to this requirement and latch SDA at the falling clock edge, so instead of an ACK sometimes a NACK is read and the slave (i.e. the EDID ROM) ends the transfer.
The bitbanging releases the data line for the ACK only 1/4 bit time after the falling clock edge, so a slave will see the correct value no matter if it samples at the rising or the falling clock edge or in the center.
Fallback to bitbanging is already done for the CRT connector.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92685 Signed-off-by: Stefan Brüns stefan.bruens@rwth-aachen.de Signed-off-by: Daniel Vetter daniel.vetter@ffwll.ch Link: https://patchwork.freedesktop.org/patch/msgid/a39f080b-81a5-4c93-b3f7-7cb0a5... [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/i915/intel_hdmi.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/i915/intel_hdmi.c +++ b/drivers/gpu/drm/i915/intel_hdmi.c @@ -971,6 +971,7 @@ intel_hdmi_detect(struct drm_connector * struct edid *edid; enum intel_display_power_domain power_domain; enum drm_connector_status status = connector_status_disconnected; + struct i2c_adapter *i2c;
DRM_DEBUG_KMS("[CONNECTOR:%d:%s]\n", connector->base.id, connector->name); @@ -981,9 +982,16 @@ intel_hdmi_detect(struct drm_connector * intel_hdmi->has_hdmi_sink = false; intel_hdmi->has_audio = false; intel_hdmi->rgb_quant_range_selectable = false; - edid = drm_get_edid(connector, - intel_gmbus_get_adapter(dev_priv, - intel_hdmi->ddc_bus)); + i2c = intel_gmbus_get_adapter(dev_priv, intel_hdmi->ddc_bus); + + edid = drm_get_edid(connector, i2c); + + if (!edid && !intel_gmbus_is_forced_bit(i2c)) { + DRM_DEBUG_KMS("HDMI GMBUS EDID read failed, retry using GPIO bit-banging\n"); + intel_gmbus_force_bit(i2c, true); + edid = drm_get_edid(connector, i2c); + intel_gmbus_force_bit(i2c, false); + }
if (edid) { if (edid->input & DRM_EDID_INPUT_DIGITAL) {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann arnd@arndb.de
commit a398e043637a4819a0e96467bfecaabf3224dd62 upstream.
While experimenting with older compiler versions, I ran into a warning that no longer shows up on gcc-4.8 or newer:
drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format': drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds
This is an off-by-one bug, leading to an access before the start of the array, while newer compilers silently assume this undefined behavior cannot happen and leave the loop at index 0 if no other entry matches.
As Sylvester explains, we actually need to ensure that the value is within the range, so this reworks the loop to be easier to parse correctly, and an additional check to fall back on the first format value for any unexpected input.
I found an existing gcc bug for it and added a reduced version of the function there.
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3 Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface")
Signed-off-by: Arnd Bergmann arnd@arndb.de Reviewed-by: Laurent Pinchart laurent.pinchart@ideasonboard.com Acked-by: Sakari Ailus sakari.ailus@linux.intel.com Signed-off-by: Mauro Carvalho Chehab mchehab@s-opensource.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/media/platform/s3c-camif/camif-capture.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/media/platform/s3c-camif/camif-capture.c +++ b/drivers/media/platform/s3c-camif/camif-capture.c @@ -1280,16 +1280,17 @@ static void __camif_subdev_try_format(st { const struct s3c_camif_variant *variant = camif->variant; const struct vp_pix_limits *pix_lim; - int i = ARRAY_SIZE(camif_mbus_formats); + unsigned int i;
/* FIXME: constraints against codec or preview path ? */ pix_lim = &variant->vp_pix_limits[VP_CODEC];
- while (i-- >= 0) + for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++) if (camif_mbus_formats[i] == mf->code) break;
- mf->code = camif_mbus_formats[i]; + if (i == ARRAY_SIZE(camif_mbus_formats)) + mf->code = camif_mbus_formats[0];
if (pad == CAMIF_SD_PAD_SINK) { v4l_bound_align_image(&mf->width, 8, CAMIF_MAX_PIX_WIDTH,
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Olsa jolsa@kernel.org
commit c3dec27b7f70a9ad5f777d943d51ecdfcd9824d0 upstream.
There's no new-line after target-override warning, now:
$ perf record -a --per-thread Warning: SYSTEM/CPU switch overriding PER-THREAD^C[ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.705 MB perf.data (2939 samples) ]
with patch:
$ perf record -a --per-thread Warning: SYSTEM/CPU switch overriding PER-THREAD ^C[ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.705 MB perf.data (2939 samples) ]
Signed-off-by: Jiri Olsa jolsa@kernel.org Tested-by: Arnaldo Carvalho de Melo acme@redhat.com Cc: Alexander Shishkin alexander.shishkin@linux.intel.com Cc: David Ahern dsahern@gmail.com Cc: Namhyung Kim namhyung@kernel.org Cc: Peter Zijlstra peterz@infradead.org Fixes: 16ad2ffb822c ("perf tools: Introduce perf_target__strerror()") Link: http://lkml.kernel.org/r/20180206181813.10943-3-jolsa@kernel.org Signed-off-by: Arnaldo Carvalho de Melo acme@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- tools/perf/builtin-record.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/perf/builtin-record.c +++ b/tools/perf/builtin-record.c @@ -942,7 +942,7 @@ int cmd_record(int argc, const char **ar err = target__validate(&rec->opts.target); if (err) { target__strerror(&rec->opts.target, err, errbuf, BUFSIZ); - ui__warning("%s", errbuf); + ui__warning("%s\n", errbuf); }
err = target__parse_uid(&rec->opts.target);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner david@lechnology.com
commit 45dcb54f014d3d1f5cc3919b5f0c97087d7cb3dd upstream.
This fixes pcs_request_gpio() in the pinctrl-single driver when bits_per_mux != 0. It appears this was overlooked when the multiple pins per register feature was added.
Fixes: 4e7e8017a80e ("pinctrl: pinctrl-single: enhance to configure multiple pins of different modules") Signed-off-by: David Lechner david@lechnology.com Acked-by: Tony Lindgren tony@atomide.com Signed-off-by: Linus Walleij linus.walleij@linaro.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/pinctrl/pinctrl-single.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-)
--- a/drivers/pinctrl/pinctrl-single.c +++ b/drivers/pinctrl/pinctrl-single.c @@ -562,9 +562,25 @@ static int pcs_request_gpio(struct pinct || pin < frange->offset) continue; mux_bytes = pcs->width / BITS_PER_BYTE; - data = pcs->read(pcs->base + pin * mux_bytes) & ~pcs->fmask; - data |= frange->gpiofunc; - pcs->write(data, pcs->base + pin * mux_bytes); + + if (pcs->bits_per_mux) { + int byte_num, offset, pin_shift; + + byte_num = (pcs->bits_per_pin * pin) / BITS_PER_BYTE; + offset = (byte_num / mux_bytes) * mux_bytes; + pin_shift = pin % (pcs->width / pcs->bits_per_pin) * + pcs->bits_per_pin; + + data = pcs->read(pcs->base + offset); + data &= ~(pcs->fmask << pin_shift); + data |= frange->gpiofunc << pin_shift; + pcs->write(data, pcs->base + offset); + } else { + data = pcs->read(pcs->base + pin * mux_bytes); + data &= ~pcs->fmask; + data |= frange->gpiofunc; + pcs->write(data, pcs->base + pin * mux_bytes); + } break; } return 0;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michal Srb msrb@suse.com
commit 3aec7f871c65eb5f76b4125fda432593c834a6f2 upstream.
The command MEDIA_VFE_STATE checks bits at offset +2 dwords. However, it is possible to have MEDIA_VFE_STATE command with length = 0 + LENGTH_BIAS = 2. In that case check_cmd will read bits from the following command, or even past the end of the buffer.
If the offset ends up outside of the command length, reject the command.
Fixes: 351e3db2b363 ("drm/i915: Implement command buffer parsing logic") Signed-off-by: Michal Srb msrb@suse.com Link: https://patchwork.freedesktop.org/patch/msgid/20180205151745.29292-1-msrb@su... Reviewed-by: Chris Wilson chris@chris-wilson.co.uk Signed-off-by: Chris Wilson chris@chris-wilson.co.uk Link: https://patchwork.freedesktop.org/patch/msgid/20180205160438.3267-2-chris@ch... [bwh: Backported to 3.16: Log ring->id rather than engine->name] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/i915/i915_cmd_parser.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/drivers/gpu/drm/i915/i915_cmd_parser.c +++ b/drivers/gpu/drm/i915/i915_cmd_parser.c @@ -941,6 +941,12 @@ static bool check_cmd(const struct intel continue; }
+ if (desc->bits[i].offset >= length) { + DRM_DEBUG_DRIVER("CMD: Rejected command 0x%08X, too short to check bitmask (ring=%d)\n", + *cmd, ring->id); + return false; + } + dword = cmd[desc->bits[i].offset] & desc->bits[i].mask;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven geert+renesas@glider.be
commit 5673444821406dda5fc25e4b52aca419f8065a19 upstream.
The imx_ports[] array is indexed using a value derived from the "serialN" alias in DT, or from platform data, which may lead to an out-of-bounds access.
Fix this by adding a range check.
Fixes: ff05967a07225ab6 ("serial/imx: add of_alias_get_id() reference back") Signed-off-by: Geert Uytterhoeven geert+renesas@glider.be Reviewed-by: Uwe Kleine-König u.kleine-koenig@pengutronix.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/serial/imx.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/drivers/tty/serial/imx.c +++ b/drivers/tty/serial/imx.c @@ -1919,6 +1919,12 @@ static int serial_imx_probe(struct platf else if (ret < 0) return ret;
+ if (sport->port.line >= ARRAY_SIZE(imx_ports)) { + dev_err(&pdev->dev, "serial%d out of range\n", + sport->port.line); + return -EINVAL; + } + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); base = devm_ioremap_resource(&pdev->dev, res); if (IS_ERR(base))
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mika Westerberg mika.westerberg@linux.intel.com
commit 13d3047c81505cc0fb9bdae7810676e70523c8bf upstream.
Mike Lothian reported that plugging in a USB-C device does not work properly in his Dell Alienware system. This system has an Intel Alpine Ridge Thunderbolt controller providing USB-C functionality. In these systems the USB controller (xHCI) is hotplugged whenever a device is connected to the port using ACPI-based hotplug.
The ACPI description of the root port in question is as follows:
Device (RP01) { Name (_ADR, 0x001C0000)
Device (PXSX) { Name (_ADR, 0x02)
Method (_RMV, 0, NotSerialized) { // ... } }
Here _ADR 0x02 means device 0, function 2 on the bus under root port (RP01) but that seems to be incorrect because device 0 is the upstream port of the Alpine Ridge PCIe switch and it has no functions other than 0 (the bridge itself). When we get ACPI Notify() to the root port resulting from connecting a USB-C device, Linux tries to read PCI_VENDOR_ID from device 0, function 2 which of course always returns 0xffffffff because there is no such function and we never find the device.
In Windows this works fine.
Now, since we get ACPI Notify() to the root port and not to the PXSX device we should actually start our scan from there as well and not from the non-existent PXSX device. Fix this by checking presence of the slot itself (function 0) if we fail to do that otherwise.
While there use pci_bus_read_dev_vendor_id() in get_slot_status(), which is the recommended way to read Device and Vendor IDs of devices on PCI buses.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=198557 Reported-by: Mike Lothian mike@fireburn.co.uk Signed-off-by: Mika Westerberg mika.westerberg@linux.intel.com Signed-off-by: Bjorn Helgaas bhelgaas@google.com Reviewed-by: Rafael J. Wysocki rafael.j.wysocki@intel.com Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/pci/hotplug/acpiphp_glue.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-)
--- a/drivers/pci/hotplug/acpiphp_glue.c +++ b/drivers/pci/hotplug/acpiphp_glue.c @@ -601,6 +601,7 @@ static unsigned int get_slot_status(stru { unsigned long long sta = 0; struct acpiphp_func *func; + u32 dvid;
list_for_each_entry(func, &slot->funcs, sibling) { if (func->flags & FUNC_HAS_STA) { @@ -611,19 +612,27 @@ static unsigned int get_slot_status(stru if (ACPI_SUCCESS(status) && sta) break; } else { - u32 dvid; - - pci_bus_read_config_dword(slot->bus, - PCI_DEVFN(slot->device, - func->function), - PCI_VENDOR_ID, &dvid); - if (dvid != 0xffffffff) { + if (pci_bus_read_dev_vendor_id(slot->bus, + PCI_DEVFN(slot->device, func->function), + &dvid, 0)) { sta = ACPI_STA_ALL; break; } } }
+ if (!sta) { + /* + * Check for the slot itself since it may be that the + * ACPI slot is a device below PCIe upstream port so in + * that case it may not even be reachable yet. + */ + if (pci_bus_read_dev_vendor_id(slot->bus, + PCI_DEVFN(slot->device, 0), &dvid, 0)) { + sta = ACPI_STA_ALL; + } + } + return (unsigned int)sta; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jerome Brunet jbrunet@baylibre.com
commit fe3f338f0cb2ed4d4f06da054c21ae2f8a36ef2d upstream.
The mux documentation mentions the non-existing parameter width instead of mask, so just sed this.
The table field is missing in the documentation of clk_mux. Add a small blurb explaining what it is
Fixes: 9d9f78ed9af0 ("clk: basic clock hardware types") Signed-off-by: Jerome Brunet jbrunet@baylibre.com Signed-off-by: Michael Turquette mturquette@baylibre.com Signed-off-by: Stephen Boyd sboyd@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/linux/clk-provider.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/include/linux/clk-provider.h +++ b/include/linux/clk-provider.h @@ -356,8 +356,9 @@ struct clk *clk_register_divider_table(s * * @hw: handle between common and hardware-specific interfaces * @reg: register controlling multiplexer + * @table: array of register values corresponding to the parent index * @shift: shift to multiplexer bit field - * @width: width of mutliplexer bit field + * @mask: mask of mutliplexer bit field * @flags: hardware-specific flags * @lock: register lock *
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Major Hayden major@mhtx.net
commit 9608e5c0f079390473b484ef92334dfd3431bb89 upstream.
This patch adds a device ID for the RT Systems cable used to program Yaesu VX-8R/VX-8DR handheld radios. It uses the main FTDI VID instead of the common RT Systems VID.
Signed-off-by: Major Hayden major@mhtx.net Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/serial/ftdi_sio.c | 1 + drivers/usb/serial/ftdi_sio_ids.h | 3 +++ 2 files changed, 4 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c +++ b/drivers/usb/serial/ftdi_sio.c @@ -786,6 +786,7 @@ static const struct usb_device_id id_tab .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk }, { USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) }, { USB_DEVICE(NOVITUS_VID, NOVITUS_BONO_E_PID) }, + { USB_DEVICE(FTDI_VID, RTSYSTEMS_USB_VX8_PID) }, { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S03_PID) }, { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_59_PID) }, { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57A_PID) }, --- a/drivers/usb/serial/ftdi_sio_ids.h +++ b/drivers/usb/serial/ftdi_sio_ids.h @@ -922,6 +922,9 @@ /* * RT Systems programming cables for various ham radios */ +/* This device uses the VID of FTDI */ +#define RTSYSTEMS_USB_VX8_PID 0x9e50 /* USB-VX8 USB to 7 pin modular plug for Yaesu VX-8 radio */ + #define RTSYSTEMS_VID 0x2100 /* Vendor ID */ #define RTSYSTEMS_USB_S03_PID 0x9001 /* RTS-03 USB to Serial Adapter */ #define RTSYSTEMS_USB_59_PID 0x9e50 /* USB-59 USB to 8 pin plug */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven geert+renesas@glider.be
commit e7d75e18d0fc3f7193b65282b651f980c778d935 upstream.
The cdns_uart_port[] array is indexed using a value derived from the "serialN" alias in DT, which may lead to an out-of-bounds access.
Fix this by adding a range check.
Fixes: 928e9263492069ee ("tty: xuartps: Initialize ports according to aliases") Signed-off-by: Geert Uytterhoeven geert+renesas@glider.be Reviewed-by: Michal Simek michal.simek@xilinx.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/serial/xilinx_uartps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/xilinx_uartps.c +++ b/drivers/tty/serial/xilinx_uartps.c @@ -1007,7 +1007,7 @@ static struct uart_port *cdns_uart_get_p struct uart_port *port;
/* Try the given port id if failed use default method */ - if (cdns_uart_port[id].mapbase != 0) { + if (id < CDNS_UART_NR_PORTS && cdns_uart_port[id].mapbase != 0) { /* Find the next unused port */ for (id = 0; id < CDNS_UART_NR_PORTS; id++) if (cdns_uart_port[id].mapbase == 0)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King colin.king@canonical.com
commit 347876ad47b9923ce26e686173bbf46581802ffa upstream.
The shifting of buf[5] by 24 bits to the left will be promoted to a 32 bit signed int and then sign-extended to an unsigned long. If the top bit of buf[5] is set then all then all the upper bits sec end up as also being set because of the sign-extension. Fix this by casting buf[5] to an unsigned long before the shift.
Detected by CoverityScan, CID#1465292 ("Unintended sign extension")
Fixes: 0e1492330cd2 ("rtc: add rtc-tx4939 driver") Signed-off-by: Colin Ian King colin.king@canonical.com Signed-off-by: Alexandre Belloni alexandre.belloni@bootlin.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/rtc/rtc-tx4939.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/rtc/rtc-tx4939.c +++ b/drivers/rtc/rtc-tx4939.c @@ -86,7 +86,8 @@ static int tx4939_rtc_read_time(struct d for (i = 2; i < 6; i++) buf[i] = __raw_readl(&rtcreg->dat); spin_unlock_irq(&pdata->lock); - sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2]; + sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) | + (buf[3] << 8) | buf[2]; rtc_time_to_tm(sec, tm); return rtc_valid_tm(tm); } @@ -147,7 +148,8 @@ static int tx4939_rtc_read_alarm(struct alrm->enabled = (ctl & TX4939_RTCCTL_ALME) ? 1 : 0; alrm->pending = (ctl & TX4939_RTCCTL_ALMD) ? 1 : 0; spin_unlock_irq(&pdata->lock); - sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2]; + sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) | + (buf[3] << 8) | buf[2]; rtc_time_to_tm(sec, &alrm->time); return rtc_valid_tm(&alrm->time); }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leonard Crestez leonard.crestez@nxp.com
commit 6aaf49b495b446ff6eec0ac983f781ca0dc56a73 upstream.
The decision to rebuild .S_shipped is made based on the relative timestamps of .S_shipped and .pl files but git makes this essentially random. This means that the perl script might run anyway (usually at most once per checkout), defeating the whole purpose of _shipped.
Fix by skipping the rule unless explicit make variables are provided: REGENERATE_ARM_CRYPTO or REGENERATE_ARM64_CRYPTO.
This can produce nasty occasional build failures downstream, for example for toolchains with broken perl. The solution is minimally intrusive to make it easier to push into stable.
Another report on a similar issue here: https://lkml.org/lkml/2018/3/8/1379
Signed-off-by: Leonard Crestez leonard.crestez@nxp.com Reviewed-by: Masahiro Yamada yamada.masahiro@socionext.com Acked-by: Ard Biesheuvel ard.biesheuvel@linaro.org Signed-off-by: Herbert Xu herbert@gondor.apana.org.au [bwh: Backported to 3.16: Only arm has this problem] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/arch/arm/crypto/Makefile +++ b/arch/arm/crypto/Makefile @@ -10,10 +10,12 @@ aes-arm-y := aes-armv4.o aes_glue.o aes-arm-bs-y := aesbs-core.o aesbs-glue.o sha1-arm-y := sha1-armv4-large.o sha1_glue.o
+ifdef REGENERATE_ARM_CRYPTO quiet_cmd_perl = PERL $@ cmd_perl = $(PERL) $(<) > $(@)
$(src)/aesbs-core.S_shipped: $(src)/bsaes-armv7.pl $(call cmd,perl) +endif
.PRECIOUS: $(obj)/aesbs-core.S
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Charles Keepax ckeepax@opensource.cirrus.com
commit 9ae27a8d1f3ebff09191fb8cb1341414547293b2 upstream.
A bulk read can be implemented either through regmap_raw_read, or by reading each register individually using regmap_read. Both regmap_read and regmap_bulk_read should return values in native endian. In the individual case the current implementation calls format_val to put the data into the output array, which can cause endian issues. The regmap_read will have already converted the data into native endian, if the hosts endian differs from the device then format_val will switch the endian back again.
Rather than using format_val simply use the code that is called if there is no format_val function. This code supports all cases except 24-bit but there don't appear to be any users of regmap_bulk_read for 24-bit. Additionally, it would have to be a big endian host for the old code to actually function correctly anyway.
Fixes: 15b8d2c41fe5 ("regmap: Fix regmap_bulk_read in BE mode") Reported-by: David Rhodes david.rhodes@cirrus.com Signed-off-by: Charles Keepax ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown broonie@kernel.org [bwh: Backported to 3.16: - 64-bit I/O is not supported - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/base/regmap/regmap.c +++ b/drivers/base/regmap/regmap.c @@ -2240,39 +2240,30 @@ int regmap_bulk_read(struct regmap *map, for (i = 0; i < val_count * val_bytes; i += val_bytes) map->format.parse_inplace(val + i); } else { + u32 *u32 = val; + u16 *u16 = val; + u8 *u8 = val; + for (i = 0; i < val_count; i++) { unsigned int ival; + ret = regmap_read(map, reg + (i * map->reg_stride), &ival); if (ret != 0) return ret;
- if (map->format.format_val) { - map->format.format_val(val + (i * val_bytes), ival, 0); - } else { - /* Devices providing read and write - * operations can use the bulk I/O - * functions if they define a val_bytes, - * we assume that the values are native - * endian. - */ - u32 *u32 = val; - u16 *u16 = val; - u8 *u8 = val; - - switch (map->format.val_bytes) { - case 4: - u32[i] = ival; - break; - case 2: - u16[i] = ival; - break; - case 1: - u8[i] = ival; - break; - default: - return -EINVAL; - } + switch (map->format.val_bytes) { + case 4: + u32[i] = ival; + break; + case 2: + u16[i] = ival; + break; + case 1: + u8[i] = ival; + break; + default: + return -EINVAL; } } }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Ma aaron.ma@canonical.com
commit 6de0b13cc0b4ba10e98a9263d7a83b940720b77a upstream.
When size is negative, calling memset will make segment fault. Declare the size as type u32 to keep memset safe.
size in struct hid_report is unsigned, fix return type of hid_report_len to u32.
Signed-off-by: Aaron Ma aaron.ma@canonical.com Signed-off-by: Jiri Kosina jkosina@suse.cz [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hid/hid-core.c | 10 +++++----- include/linux/hid.h | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-)
--- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1284,7 +1284,7 @@ void hid_output_report(struct hid_report } EXPORT_SYMBOL_GPL(hid_output_report);
-static int hid_report_len(struct hid_report *report) +static u32 hid_report_len(struct hid_report *report) { /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */ return ((report->size - 1) >> 3) + 1 + (report->id > 0); @@ -1300,7 +1300,7 @@ u8 *hid_alloc_report_buf(struct hid_repo * of implement() working on 8 byte chunks */
- int len = hid_report_len(report) + 7; + u32 len = hid_report_len(report) + 7;
return kmalloc(len, flags); } @@ -1365,7 +1365,7 @@ void __hid_request(struct hid_device *hi { char *buf; int ret; - int len; + u32 len;
buf = hid_alloc_report_buf(report, GFP_KERNEL); if (!buf) @@ -1391,14 +1391,14 @@ out: } EXPORT_SYMBOL_GPL(__hid_request);
-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, +int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, int interrupt) { struct hid_report_enum *report_enum = hid->report_enum + type; struct hid_report *report; struct hid_driver *hdrv; unsigned int a; - int rsize, csize = size; + u32 rsize, csize = size; u8 *cdata = data; int ret = 0;
@@ -1456,7 +1456,7 @@ EXPORT_SYMBOL_GPL(hid_report_raw_event); * * This is data entry for lower layers. */ -int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int interrupt) +int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int interrupt) { struct hid_report_enum *report_enum; struct hid_driver *hdrv; --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -757,7 +757,7 @@ extern int hidinput_connect(struct hid_d extern void hidinput_disconnect(struct hid_device *);
int hid_set_field(struct hid_field *, unsigned, __s32); -int hid_input_report(struct hid_device *, int type, u8 *, int, int); +int hid_input_report(struct hid_device *, int type, u8 *, u32, int); int hidinput_find_field(struct hid_device *hid, unsigned int type, unsigned int code, struct hid_field **field); struct hid_field *hidinput_get_led_field(struct hid_device *hid); unsigned int hidinput_count_leds(struct hid_device *hid); @@ -1055,7 +1055,7 @@ static inline void hid_hw_wait(struct hi hdev->ll_driver->wait(hdev); }
-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, +int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, int interrupt);
/* HID quirks API */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Igor Pylypiv igor.pylypiv@gmail.com
commit 977f6f68331f94bb72ad84ee96b7b87ce737d89d upstream.
F71808FG_FLAG_WD_EN defines bit position, not a bitmask
Signed-off-by: Igor Pylypiv igor.pylypiv@gmail.com Reviewed-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Wim Van Sebroeck wim@iguana.be Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/watchdog/f71808e_wdt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/watchdog/f71808e_wdt.c +++ b/drivers/watchdog/f71808e_wdt.c @@ -450,7 +450,7 @@ static bool watchdog_is_running(void)
is_running = (superio_inb(watchdog.sioaddr, SIO_REG_ENABLE) & BIT(0)) && (superio_inb(watchdog.sioaddr, F71808FG_REG_WDT_CONF) - & F71808FG_FLAG_WD_EN); + & BIT(F71808FG_FLAG_WD_EN));
superio_exit(watchdog.sioaddr);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Neuschäfer j.neuschaefer@gmx.net
commit 8eb1a8590f5ca114fabf16ebb26a4bce0255ace9 upstream.
This fixes the following kernel-doc warning:
./include/net/dst.h:366: warning: Function parameter or member 'net' not described in 'skb_tunnel_rx'
Fixes: ea23192e8e57 ("tunnels: harmonize cleanup done on skb on rx path") Signed-off-by: Jonathan Neuschäfer j.neuschaefer@gmx.net Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/net/dst.h | 1 + 1 file changed, 1 insertion(+)
--- a/include/net/dst.h +++ b/include/net/dst.h @@ -350,6 +350,7 @@ static inline void __skb_tunnel_rx(struc * skb_tunnel_rx - prepare skb for rx reinsert * @skb: buffer * @dev: tunnel device + * @net: netns for packet i/o * * After decapsulation, packet is going to re-enter (netif_rx()) our stack, * so make some cleanups, and perform accounting.
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King colin.king@canonical.com
commit 67300abdbe9f1717532aaf4e037222762716d0f6 upstream.
Currently an out of range dev->nr is detected by just reporting the issue and later on an out-of-bounds read on array card occurs because of this. Fix this by checking the upper range of dev->nr with the size of array card (removes the hard coded size), move this check earlier and also exit with the error -ENOSYS to avoid the later out-of-bounds array read.
Detected by CoverityScan, CID#711191 ("Out-of-bounds-read")
Fixes: commit 02b20b0b4cde ("V4L/DVB (12730): Add conexant cx25821 driver")
Signed-off-by: Colin Ian King colin.king@canonical.com Signed-off-by: Hans Verkuil hans.verkuil@cisco.com [hans.verkuil@cisco.com: %ld -> %zd] Signed-off-by: Mauro Carvalho Chehab mchehab@s-opensource.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/media/pci/cx25821/cx25821-core.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/media/pci/cx25821/cx25821-core.c +++ b/drivers/media/pci/cx25821/cx25821-core.c @@ -871,6 +871,10 @@ static int cx25821_dev_setup(struct cx25 dev->nr = ++cx25821_devcount; sprintf(dev->name, "cx25821[%d]", dev->nr);
+ if (dev->nr >= ARRAY_SIZE(card)) { + CX25821_INFO("dev->nr >= %zd", ARRAY_SIZE(card)); + return -ENODEV; + } if (dev->pci->device != 0x8210) { pr_info("%s(): Exiting. Incorrect Hardware device = 0x%02x\n", __func__, dev->pci->device); @@ -887,9 +891,6 @@ static int cx25821_dev_setup(struct cx25 dev->channels[i].sram_channels = &cx25821_sram_channels[i]; }
- if (dev->nr > 1) - CX25821_INFO("dev->nr > 1!"); - /* board config */ dev->board = 1; /* card[dev->nr]; */ dev->_max_num_decoders = MAX_DECODERS;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o tytso@mit.edu
commit 85e0c4e89c1b864e763c4e3bb15d0b6d501ad5d9 upstream.
This updates the jbd2 superblock unnecessarily, and on an abort we shouldn't truncate the log.
Signed-off-by: Theodore Ts'o tytso@mit.edu Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/jbd2/journal.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/jbd2/journal.c +++ b/fs/jbd2/journal.c @@ -923,7 +923,7 @@ out: }
/* - * This is a variaon of __jbd2_update_log_tail which checks for validity of + * This is a variation of __jbd2_update_log_tail which checks for validity of * provided log tail and locks j_checkpoint_mutex. So it is safe against races * with other threads updating log tail. */ @@ -1399,6 +1399,9 @@ int jbd2_journal_update_sb_log_tail(jour journal_superblock_t *sb = journal->j_superblock; int ret;
+ if (is_journal_aborted(journal)) + return -EIO; + BUG_ON(!mutex_is_locked(&journal->j_checkpoint_mutex)); jbd_debug(1, "JBD2: updating superblock (start %lu, seq %u)\n", tail_block, tail_tid);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven geert+renesas@glider.be
commit ffab87fdecc655cc676f8be8dd1a2c5e22bd6d47 upstream.
The lpuart_ports[] array is indexed using a value derived from the "serialN" alias in DT, which may lead to an out-of-bounds access.
Fix this by adding a range check.
Fixes: c9e2e946fb0ba5d2 ("tty: serial: add Freescale lpuart driver support") Signed-off-by: Geert Uytterhoeven geert+renesas@glider.be Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/serial/fsl_lpuart.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/tty/serial/fsl_lpuart.c +++ b/drivers/tty/serial/fsl_lpuart.c @@ -1170,6 +1170,10 @@ static int lpuart_probe(struct platform_ dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret); return ret; } + if (ret >= ARRAY_SIZE(lpuart_ports)) { + dev_err(&pdev->dev, "serial%d out of range\n", ret); + return -EINVAL; + } sport->port.line = ret;
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven geert+renesas@glider.be
commit f9f5786987e81d166c60833edcb7d1836aa16944 upstream.
The arc_uart_ports[] array is indexed using a value derived from the "serialN" alias in DT, which may lead to an out-of-bounds access.
Fix this by adding a range check.
Note that the array size is defined by a Kconfig symbol (CONFIG_SERIAL_ARC_NR_PORTS), so this can even be triggered using a legitimate DTB.
Fixes: ea28fd56fcde69af ("serial/arc-uart: switch to devicetree based probing") Signed-off-by: Geert Uytterhoeven geert+renesas@glider.be Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: Put the check in arc_uart_init_one() and move initialisation of the uart variable below it] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/tty/serial/arc_uart.c +++ b/drivers/tty/serial/arc_uart.c @@ -531,8 +531,14 @@ arc_uart_init_one(struct platform_device { struct resource *res, *res2; unsigned long *plat_data; - struct arc_uart_port *uart = &arc_uart_ports[dev_id]; + struct arc_uart_port *uart;
+ if (dev_id >= ARRAY_SIZE(arc_uart_ports)) { + dev_err(&pdev->dev, "serial%d out of range\n", dev_id); + return -EINVAL; + } + + uart = &arc_uart_ports[dev_id]; plat_data = dev_get_platdata(&pdev->dev); if (!plat_data) return -ENODEV;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sudhir Sreedharan ssreedharan@mvista.com
commit 7972326a26b5bf8dc2adac575c4e03ee7e9d193a upstream.
This can be reproduced by bind/unbind the driver multiple times in AM3517 board.
Analysis revealed that rtl8187_start() was invoked before probe finishes(ie. before the mutex is initialized).
INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 0 PID: 821 Comm: wpa_supplicant Not tainted 4.9.80-dirty #250 Hardware name: Generic AM3517 (Flattened Device Tree) [<c010e0d8>] (unwind_backtrace) from [<c010beac>] (show_stack+0x10/0x14) [<c010beac>] (show_stack) from [<c017401c>] (register_lock_class+0x4f4/0x55c) [<c017401c>] (register_lock_class) from [<c0176fe0>] (__lock_acquire+0x74/0x1938) [<c0176fe0>] (__lock_acquire) from [<c0178cfc>] (lock_acquire+0xfc/0x23c) [<c0178cfc>] (lock_acquire) from [<c08aa2f8>] (mutex_lock_nested+0x50/0x3b0) [<c08aa2f8>] (mutex_lock_nested) from [<c05f5bf8>] (rtl8187_start+0x2c/0xd54) [<c05f5bf8>] (rtl8187_start) from [<c082dea0>] (drv_start+0xa8/0x320) [<c082dea0>] (drv_start) from [<c084d1d4>] (ieee80211_do_open+0x2bc/0x8e4) [<c084d1d4>] (ieee80211_do_open) from [<c069be94>] (__dev_open+0xb8/0x120) [<c069be94>] (__dev_open) from [<c069c11c>] (__dev_change_flags+0x88/0x14c) [<c069c11c>] (__dev_change_flags) from [<c069c1f8>] (dev_change_flags+0x18/0x48) [<c069c1f8>] (dev_change_flags) from [<c0710b08>] (devinet_ioctl+0x738/0x840) [<c0710b08>] (devinet_ioctl) from [<c067925c>] (sock_ioctl+0x164/0x2f4) [<c067925c>] (sock_ioctl) from [<c02883f8>] (do_vfs_ioctl+0x8c/0x9d0) [<c02883f8>] (do_vfs_ioctl) from [<c0288da8>] (SyS_ioctl+0x6c/0x7c) [<c0288da8>] (SyS_ioctl) from [<c0107760>] (ret_fast_syscall+0x0/0x1c) Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = cd1ec000 [00000000] *pgd=8d1de831, *pte=00000000, *ppte=00000000 Internal error: Oops: 817 [#1] PREEMPT ARM Modules linked in: CPU: 0 PID: 821 Comm: wpa_supplicant Not tainted 4.9.80-dirty #250 Hardware name: Generic AM3517 (Flattened Device Tree) task: ce73eec0 task.stack: cd1ea000 PC is at mutex_lock_nested+0xe8/0x3b0 LR is at mutex_lock_nested+0xd0/0x3b0
Signed-off-by: Sudhir Sreedharan ssreedharan@mvista.com Signed-off-by: Kalle Valo kvalo@codeaurora.org [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/wireless/rtl818x/rtl8187/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/rtl818x/rtl8187/dev.c +++ b/drivers/net/wireless/rtl818x/rtl8187/dev.c @@ -1454,6 +1454,7 @@ static int rtl8187_probe(struct usb_inte goto err_free_dev; } mutex_init(&priv->io_mutex); + mutex_init(&priv->conf_mutex);
SET_IEEE80211_DEV(dev, &intf->dev); usb_set_intfdata(intf, dev); @@ -1627,7 +1628,6 @@ static int rtl8187_probe(struct usb_inte printk(KERN_ERR "rtl8187: Cannot register device\n"); goto err_free_dmabuf; } - mutex_init(&priv->conf_mutex); skb_queue_head_init(&priv->b_tx_status.queue);
wiphy_info(dev->wiphy, "hwaddr %pM, %s V%d + %s, rfkill mask %d\n",
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen Thinh.Nguyen@synopsys.com
commit cabdf83dadfb3d83eec31e0f0638a92dbd716435 upstream.
Platform device is allocated before adding resources. Make sure to properly cleanup on error case.
Fixes: f1c7e7108109 ("usb: dwc3: convert to pcim_enable_device()") Signed-off-by: Thinh Nguyen thinhn@synopsys.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com [bwh: Backported to 3.16: Cleanup label is called "err3"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/dwc3/dwc3-pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/dwc3/dwc3-pci.c +++ b/drivers/usb/dwc3/dwc3-pci.c @@ -144,7 +144,7 @@ static int dwc3_pci_probe(struct pci_dev ret = platform_device_add_resources(dwc3, res, ARRAY_SIZE(res)); if (ret) { dev_err(dev, "couldn't add resources to dwc3 device\n"); - return ret; + goto err3; }
pci_set_drvdata(pci, glue);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bai Ping b51503@freescale.com
commit 84866ee5818e95f6e97194656777c10ac24cb9d3 upstream.
The irq handler should be registered after the tempmon module has been initialized in a known state and the thermal_zone and cpu_cooling device have been registered successfully. Otherwise, if the irq is triggled earlier before thermal probe has been finished, it may lead to 'NULL' pointer kernel panic.
Signed-off-by: Bai Ping b51503@freescale.com Signed-off-by: Eduardo Valentin edubezval@gmail.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/thermal/imx_thermal.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-)
--- a/drivers/thermal/imx_thermal.c +++ b/drivers/thermal/imx_thermal.c @@ -422,14 +422,6 @@ static int imx_thermal_probe(struct plat if (data->irq < 0) return data->irq;
- ret = devm_request_threaded_irq(&pdev->dev, data->irq, - imx_thermal_alarm_irq, imx_thermal_alarm_irq_thread, - 0, "imx_thermal", data); - if (ret < 0) { - dev_err(&pdev->dev, "failed to request alarm irq: %d\n", ret); - return ret; - } - platform_set_drvdata(pdev, data);
ret = imx_get_sensor_data(pdev); @@ -492,6 +484,17 @@ static int imx_thermal_probe(struct plat regmap_write(map, TEMPSENSE0 + REG_CLR, TEMPSENSE0_POWER_DOWN); regmap_write(map, TEMPSENSE0 + REG_SET, TEMPSENSE0_MEASURE_TEMP);
+ ret = devm_request_threaded_irq(&pdev->dev, data->irq, + imx_thermal_alarm_irq, imx_thermal_alarm_irq_thread, + 0, "imx_thermal", data); + if (ret < 0) { + dev_err(&pdev->dev, "failed to request alarm irq: %d\n", ret); + clk_disable_unprepare(data->thermal_clk); + thermal_zone_device_unregister(data->tz); + cpufreq_cooling_unregister(data->cdev); + return ret; + } + data->irq_enabled = true; data->mode = THERMAL_DEVICE_ENABLED;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven geert+renesas@glider.be
commit dd345a31bfdec350d2593e6de5964e55c7f19c76 upstream.
The auart_port[] array is indexed using a value derived from the "serialN" alias in DT, or from platform data, which may lead to an out-of-bounds access.
Fix this by adding a range check.
Fixes: 1ea6607d4cdc9179 ("serial: mxs-auart: Allow device tree probing") Signed-off-by: Geert Uytterhoeven geert+renesas@glider.be Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: - Explicitly clean up port on error - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/serial/mxs-auart.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/tty/serial/mxs-auart.c +++ b/drivers/tty/serial/mxs-auart.c @@ -1050,6 +1050,11 @@ static int mxs_auart_probe(struct platfo s->port.line = pdev->id < 0 ? 0 : pdev->id; else if (ret < 0) goto out_free; + if (s->port.line >= ARRAY_SIZE(auart_port)) { + dev_err(&pdev->dev, "serial%d out of range\n", s->port.line); + ret = -EINVAL; + goto out_free; + }
if (of_id) { pdev->id_entry = of_id->data;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche bart.vanassche@wdc.com
commit e68088e78d82920632eba112b968e49d588d02a2 upstream.
Before commit e494f6a72839 ("[SCSI] improved eh timeout handler") it did not really matter whether or not abort handlers like srp_abort() called .scsi_done() when returning another value than SUCCESS. Since that commit however this matters. Hence only call .scsi_done() when returning SUCCESS.
Signed-off-by: Bart Van Assche bart.vanassche@wdc.com Signed-off-by: Jason Gunthorpe jgg@mellanox.com [bwh: Backported to 3.16: s/ch/target/] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/infiniband/ulp/srp/ib_srp.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/infiniband/ulp/srp/ib_srp.c +++ b/drivers/infiniband/ulp/srp/ib_srp.c @@ -2393,9 +2393,11 @@ static int srp_abort(struct scsi_cmnd *s ret = FAST_IO_FAIL; else ret = FAILED; - srp_free_req(target, req, scmnd, 0); - scmnd->result = DID_ABORT << 16; - scmnd->scsi_done(scmnd); + if (ret == SUCCESS) { + srp_free_req(target, req, scmnd, 0); + scmnd->result = DID_ABORT << 16; + scmnd->scsi_done(scmnd); + }
return ret; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit 8f461b1e02ed546fbd0f11611138da67fd85a30f upstream.
With ecb-cast5-avx, if a 128+ byte scatterlist element followed a shorter one, then the algorithm accidentally encrypted/decrypted only 8 bytes instead of the expected 128 bytes. Fix it by setting the encryption/decryption 'fn' correctly.
Fixes: c12ab20b162c ("crypto: cast5/avx - avoid using temporary stack buffers") Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/crypto/cast5_avx_glue.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
--- a/arch/x86/crypto/cast5_avx_glue.c +++ b/arch/x86/crypto/cast5_avx_glue.c @@ -67,8 +67,6 @@ static int ecb_crypt(struct blkcipher_de void (*fn)(struct cast5_ctx *ctx, u8 *dst, const u8 *src); int err;
- fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way; - err = blkcipher_walk_virt(desc, walk); desc->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
@@ -80,6 +78,7 @@ static int ecb_crypt(struct blkcipher_de
/* Process multi-block batch */ if (nbytes >= bsize * CAST5_PARALLEL_BLOCKS) { + fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way; do { fn(ctx, wdst, wsrc);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold johan@kernel.org
commit 1f1e82f74c0947e40144688c9e36abe4b3999f49 upstream.
Add device id for ELDAT Easywave RX09 tranceiver.
Reported-by: Jan Jansen nattelip@hotmail.com Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/serial/cp210x.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/cp210x.c +++ b/drivers/usb/serial/cp210x.c @@ -151,6 +151,7 @@ static const struct usb_device_id id_tab { USB_DEVICE(0x12B8, 0xEC62) }, /* Link G4+ ECU */ { USB_DEVICE(0x13AD, 0x9999) }, /* Baltech card reader */ { USB_DEVICE(0x1555, 0x0004) }, /* Owen AC4 USB-RS485 Converter */ + { USB_DEVICE(0x155A, 0x1006) }, /* ELDAT Easywave RX09 */ { USB_DEVICE(0x166A, 0x0201) }, /* Clipsal 5500PACA C-Bus Pascal Automation Controller */ { USB_DEVICE(0x166A, 0x0301) }, /* Clipsal 5800PC C-Bus Wireless PC Interface */ { USB_DEVICE(0x166A, 0x0303) }, /* Clipsal 5500PCU C-Bus USB interface */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck linux@roeck-us.net
commit a46f8cd696624ef757be0311eb28f119c36778e8 upstream.
A negative page register value means that no page needs to be selected. This is used by status register evaluations and needs to be accepted.
Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver") Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hwmon/pmbus/max8688.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwmon/pmbus/max8688.c +++ b/drivers/hwmon/pmbus/max8688.c @@ -44,7 +44,7 @@ static int max8688_read_word_data(struct { int ret;
- if (page) + if (page > 0) return -ENXIO;
switch (reg) {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liu Bo bo.li.liu@oracle.com
commit 5811375325420052fcadd944792a416a43072b7f upstream.
Fstests generic/475 provides a way to fail metadata reads while checking if checksum exists for the inode inside run_delalloc_nocow(), and csum_exist_in_range() interprets error (-EIO) as inode having checksum and makes its caller enter the cow path.
In case of free space inode, this ends up with a warning in cow_file_range().
The same problem applies to btrfs_cross_ref_exist() since it may also read metadata in between.
With this, run_delalloc_nocow() bails out when errors occur at the two places.
Fixes: 17d217fe970d ("Btrfs: fix nodatasum handling in balancing code") Signed-off-by: Liu Bo bo.li.liu@oracle.com Signed-off-by: David Sterba dsterba@suse.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -1145,6 +1145,8 @@ static noinline int csum_exist_in_range( list_del(&sums->list); kfree(sums); } + if (ret < 0) + return ret; return 1; }
@@ -1294,10 +1296,23 @@ next_slot: goto out_check; if (btrfs_extent_readonly(root, disk_bytenr)) goto out_check; - if (btrfs_cross_ref_exist(trans, root, ino, - found_key.offset - - extent_offset, disk_bytenr)) + ret = btrfs_cross_ref_exist(trans, root, ino, + found_key.offset - + extent_offset, disk_bytenr); + if (ret) { + /* + * ret could be -EIO if the above fails to read + * metadata. + */ + if (ret < 0) { + if (cow_start != (u64)-1) + cur_offset = cow_start; + goto error; + } + + WARN_ON_ONCE(nolock); goto out_check; + } disk_bytenr += extent_offset; disk_bytenr += cur_offset - found_key.offset; num_bytes = min(end + 1, extent_end) - cur_offset; @@ -1315,8 +1330,22 @@ next_slot: * this ensure that csum for a given extent are * either valid or do not exist. */ - if (csum_exist_in_range(root, disk_bytenr, num_bytes)) + ret = csum_exist_in_range(root, disk_bytenr, + num_bytes); + if (ret) { + + /* + * ret could be -EIO if the above fails to read + * metadata. + */ + if (ret < 0) { + if (cow_start != (u64)-1) + cur_offset = cow_start; + goto error; + } + WARN_ON_ONCE(nolock); goto out_check; + } nocow = 1; } else if (extent_type == BTRFS_FILE_EXTENT_INLINE) { extent_end = found_key.offset +
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Zhengjun Xing zhengjun.xing@linux.intel.com
commit 64627388b50158fd24d6ad88132525b95a5ef573 upstream.
USB3 hubs don't support global suspend.
USB3 specification 10.10, Enhanced SuperSpeed hubs only support selective suspend and resume, they do not support global suspend/resume where the hub downstream facing ports states are not affected.
When system enters hibernation it first enters freeze process where only the root hub enters suspend, usb_port_suspend() is not called for other devices, and suspend status flags are not set for them. Other devices are expected to suspend globally. Some external USB3 hubs will suspend the downstream facing port at global suspend. These devices won't be resumed at thaw as the suspend status flag is not set.
A USB3 removable hard disk connected through a USB3 hub that won't resume at thaw will fail to synchronize SCSI cache, return “cmd cmplt err -71” error, and needs a 60 seconds timeout which causing system hang for 60s before the USB host reset the port for the USB3 removable hard disk to recover.
Fix this by always calling usb_port_suspend() during freeze for USB3 devices.
Signed-off-by: Zhengjun Xing zhengjun.xing@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/core/generic.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/generic.c +++ b/drivers/usb/core/generic.c @@ -208,8 +208,13 @@ static int generic_suspend(struct usb_de if (!udev->parent) rc = hcd_bus_suspend(udev, msg);
- /* Non-root devices don't need to do anything for FREEZE or PRETHAW */ - else if (msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW) + /* + * Non-root USB2 devices don't need to do anything for FREEZE + * or PRETHAW. USB3 devices don't support global suspend and + * needs to be selectively suspended. + */ + else if ((msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW) + && (udev->speed < USB_SPEED_SUPER)) rc = 0; else rc = usb_port_suspend(udev, msg);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mikhail Lappo mikhail.lappo@esrlabs.com
commit cf1ba1d73a33944d8c1a75370a35434bf146b8a7 upstream.
When device boots with T > T_trip_1 and requests interrupt, the race condition takes place. The interrupt comes before THERMAL_DEVICE_ENABLED is set. This leads to an attempt to reading sensor value from irq and disabling the sensor, based on the data->mode field, which expected to be THERMAL_DEVICE_ENABLED, but still stays as THERMAL_DEVICE_DISABLED. Afher this issue sensor is never re-enabled, as the driver state is wrong.
Fix this problem by setting the 'data' members prior to requesting the interrupts.
Fixes: 37713a1e8e4c ("thermal: imx: implement thermal alarm interrupt handling") Signed-off-by: Mikhail Lappo mikhail.lappo@esrlabs.com Signed-off-by: Fabio Estevam fabio.estevam@nxp.com Reviewed-by: Philipp Zabel p.zabel@pengutronix.de Acked-by: Dong Aisheng aisheng.dong@nxp.com Signed-off-by: Zhang Rui rui.zhang@intel.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/thermal/imx_thermal.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/thermal/imx_thermal.c +++ b/drivers/thermal/imx_thermal.c @@ -484,6 +484,9 @@ static int imx_thermal_probe(struct plat regmap_write(map, TEMPSENSE0 + REG_CLR, TEMPSENSE0_POWER_DOWN); regmap_write(map, TEMPSENSE0 + REG_SET, TEMPSENSE0_MEASURE_TEMP);
+ data->irq_enabled = true; + data->mode = THERMAL_DEVICE_ENABLED; + ret = devm_request_threaded_irq(&pdev->dev, data->irq, imx_thermal_alarm_irq, imx_thermal_alarm_irq_thread, 0, "imx_thermal", data); @@ -495,9 +498,6 @@ static int imx_thermal_probe(struct plat return ret; }
- data->irq_enabled = true; - data->mode = THERMAL_DEVICE_ENABLED; - return 0; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jason Andryuk jandryuk@gmail.com
commit ef6eaf27274c0351f7059163918f3795da13199c upstream.
Commit ac75a041048b ("HID: i2c-hid: fix size check and type usage") started writing messages when the ret_size is <= 2 from i2c_master_recv. However, my device i2c-DLL07D1 returns 2 for a short period of time (~0.5s) after I stop moving the pointing stick or touchpad. It varies, but you get ~50 messages each time which spams the log hard.
[ 95.925055] i2c_hid i2c-DLL07D1:01: i2c_hid_get_input: incomplete report (83/2)
This has also been observed with a i2c-ALP0017.
[ 1781.266353] i2c_hid i2c-ALP0017:00: i2c_hid_get_input: incomplete report (30/2)
Only print the message when ret_size is totally invalid and less than 2 to cut down on the log spam.
Fixes: ac75a041048b ("HID: i2c-hid: fix size check and type usage") Reported-by: John Smith john-s-84@gmx.net Signed-off-by: Jason Andryuk jandryuk@gmail.com Signed-off-by: Jiri Kosina jkosina@suse.cz Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hid/i2c-hid/i2c-hid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hid/i2c-hid/i2c-hid.c +++ b/drivers/hid/i2c-hid/i2c-hid.c @@ -399,7 +399,7 @@ static void i2c_hid_get_input(struct i2c return; }
- if ((ret_size > size) || (ret_size <= 2)) { + if ((ret_size > size) || (ret_size < 2)) { dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n", __func__, size, ret_size); return;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Brad Volkin bradley.d.volkin@intel.com
commit 00caf0199f66871b0e2c28d7c2079de0ce1d646c upstream.
The other paths in the command parser that reject a batch all log a message indicating the reason. We simply missed this one.
Signed-off-by: Brad Volkin bradley.d.volkin@intel.com Signed-off-by: Daniel Vetter daniel.vetter@ffwll.ch Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/i915/i915_cmd_parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/i915_cmd_parser.c +++ b/drivers/gpu/drm/i915/i915_cmd_parser.c @@ -887,8 +887,10 @@ static bool check_cmd(const struct intel * OACONTROL writes to only MI_LOAD_REGISTER_IMM commands. */ if (reg_addr == OACONTROL) { - if (desc->cmd.value == MI_LOAD_REGISTER_MEM) + if (desc->cmd.value == MI_LOAD_REGISTER_MEM) { + DRM_DEBUG_DRIVER("CMD: Rejected LRM to OACONTROL\n"); return false; + }
if (desc->cmd.value == MI_LOAD_REGISTER_IMM(1)) *oacontrol_set = (cmd[2] != 0);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven geert+renesas@glider.be
commit afc7851fab8329eddcf321c9e0a58c893f351dd6 upstream.
The serial_pxa_ports[] array is indexed using a value derived from the "serialN" alias in DT, or from platform data, which may lead to an out-of-bounds access.
Fix this by adding a range check.
Fixes: 699c20f3e6310aa2 ("serial: pxa: add OF support") Signed-off-by: Geert Uytterhoeven geert+renesas@glider.be Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/serial/pxa.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/tty/serial/pxa.c +++ b/drivers/tty/serial/pxa.c @@ -888,6 +888,10 @@ static int serial_pxa_probe(struct platf sport->port.line = dev->id; else if (ret < 0) goto err_clk; + if (sport->port.line >= ARRAY_SIZE(serial_pxa_ports)) { + dev_err(&dev->dev, "serial%d out of range\n", sport->port.line); + return -EINVAL; + } snprintf(sport->name, PXA_NAME_LEN - 1, "UART%d", sport->port.line + 1);
sport->port.membase = ioremap(mmres->start, resource_size(mmres));
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Cox alan@llwyncelyn.cymru
commit 8a8dabf2dd68caff842d38057097c23bc514ea6e upstream.
Historically the N_TTY driver could never fail but this has become broken over time. Rather than trying to rewrite half the ldisc layer to fix the breakage introduce a second level of fallback with an N_NULL ldisc which cannot fail, and thus restore the guarantees required by the ldisc layer.
We still try and fail to N_TTY first. It's much more useful to find yourself back in your old ldisc (first attempt) or in N_TTY (second attempt), and while I'm not aware of any code out there that makes those assumptions it's good to drive(r) defensively.
Signed-off-by: Alan Cox alan@linux.intel.com Reported-by: Dmitry Vyukov dvyukov@google.com Tested-by: Dmitry Vyukov dvyukov@google.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/tty/Makefile +++ b/drivers/tty/Makefile @@ -1,5 +1,6 @@ obj-$(CONFIG_TTY) += tty_io.o n_tty.o tty_ioctl.o tty_ldisc.o \ - tty_buffer.o tty_port.o tty_mutex.o tty_ldsem.o + tty_buffer.o tty_port.o tty_mutex.o \ + tty_ldsem.o n_null.o obj-$(CONFIG_LEGACY_PTYS) += pty.o obj-$(CONFIG_UNIX98_PTYS) += pty.o obj-$(CONFIG_AUDIT) += tty_audit.o --- /dev/null +++ b/drivers/tty/n_null.c @@ -0,0 +1,80 @@ +#include <linux/types.h> +#include <linux/errno.h> +#include <linux/tty.h> +#include <linux/module.h> + +/* + * n_null.c - Null line discipline used in the failure path + * + * Copyright (C) Intel 2017 + * + * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + */ + +static int n_null_open(struct tty_struct *tty) +{ + return 0; +} + +static void n_null_close(struct tty_struct *tty) +{ +} + +static ssize_t n_null_read(struct tty_struct *tty, struct file *file, + unsigned char __user * buf, size_t nr) +{ + return -EOPNOTSUPP; +} + +static ssize_t n_null_write(struct tty_struct *tty, struct file *file, + const unsigned char *buf, size_t nr) +{ + return -EOPNOTSUPP; +} + +static void n_null_receivebuf(struct tty_struct *tty, + const unsigned char *cp, char *fp, + int cnt) +{ +} + +static struct tty_ldisc_ops null_ldisc = { + .owner = THIS_MODULE, + .magic = TTY_LDISC_MAGIC, + .name = "n_null", + .open = n_null_open, + .close = n_null_close, + .read = n_null_read, + .write = n_null_write, + .receive_buf = n_null_receivebuf +}; + +static int __init n_null_init(void) +{ + BUG_ON(tty_register_ldisc(N_NULL, &null_ldisc)); + return 0; +} + +static void __exit n_null_exit(void) +{ + tty_unregister_ldisc(N_NULL); +} + +module_init(n_null_init); +module_exit(n_null_exit); + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Alan Cox"); +MODULE_ALIAS_LDISC(N_NULL); +MODULE_DESCRIPTION("Null ldisc driver"); --- a/drivers/tty/tty_ldisc.c +++ b/drivers/tty/tty_ldisc.c @@ -474,6 +474,29 @@ static void tty_ldisc_close(struct tty_s }
/** + * tty_ldisc_failto - helper for ldisc failback + * @tty: tty to open the ldisc on + * @ld: ldisc we are trying to fail back to + * + * Helper to try and recover a tty when switching back to the old + * ldisc fails and we need something attached. + */ + +static int tty_ldisc_failto(struct tty_struct *tty, int ld) +{ + struct tty_ldisc *disc = tty_ldisc_get(tty, ld); + int r; + + if (IS_ERR(disc)) + return PTR_ERR(disc); + tty->ldisc = disc; + tty_set_termios_ldisc(tty, ld); + if ((r = tty_ldisc_open(tty, disc)) < 0) + tty_ldisc_put(disc); + return r; +} + +/** * tty_ldisc_restore - helper for tty ldisc change * @tty: tty to recover * @old: previous ldisc @@ -485,8 +508,6 @@ static void tty_ldisc_close(struct tty_s static void tty_ldisc_restore(struct tty_struct *tty, struct tty_ldisc *old) { char buf[64]; - struct tty_ldisc *new_ldisc; - int r;
/* There is an outstanding reference here so this is safe */ old = tty_ldisc_get(tty, old->ops->num); @@ -495,17 +516,13 @@ static void tty_ldisc_restore(struct tty tty_set_termios_ldisc(tty, old->ops->num); if (tty_ldisc_open(tty, old) < 0) { tty_ldisc_put(old); - /* This driver is always present */ - new_ldisc = tty_ldisc_get(tty, N_TTY); - if (IS_ERR(new_ldisc)) - panic("n_tty: get"); - tty->ldisc = new_ldisc; - tty_set_termios_ldisc(tty, N_TTY); - r = tty_ldisc_open(tty, new_ldisc); - if (r < 0) - panic("Couldn't open N_TTY ldisc for " - "%s --- error %d.", - tty_name(tty, buf), r); + /* The traditional behaviour is to fall back to N_TTY, we + want to avoid falling back to N_NULL unless we have no + choice to avoid the risk of breaking anything */ + if (tty_ldisc_failto(tty, N_TTY) < 0 && + tty_ldisc_failto(tty, N_NULL) < 0) + panic("Couldn't open N_NULL ldisc for %s.", + tty_name(tty, buf)); } }
--- a/include/uapi/linux/tty.h +++ b/include/uapi/linux/tty.h @@ -34,5 +34,6 @@ #define N_TI_WL 22 /* for TI's WL BT, FM, GPS combo chips */ #define N_TRACESINK 23 /* Trace data routing for MIPI P1149.7 */ #define N_TRACEROUTER 24 /* Trace data routing for MIPI P1149.7 */ +#define N_NULL 27 /* Null ldisc used for error handling */
#endif /* _UAPI_LINUX_TTY_H */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Davidlohr Bueso dave@stgolabs.net
commit a73ab244f0dad8fffb3291b905f73e2d3eaa7c00 upstream.
Patch series "ipc/shm: shmat() fixes around nil-page".
These patches fix two issues reported[1] a while back by Joe and Andrea around how shmat(2) behaves with nil-page.
The first reverts a commit that it was incorrectly thought that mapping nil-page (address=0) was a no no with MAP_FIXED. This is not the case, with the exception of SHM_REMAP; which is address in the second patch.
I chose two patches because it is easier to backport and it explicitly reverts bogus behaviour. Both patches ought to be in -stable and ltp testcases need updated (the added testcase around the cve can be modified to just test for SHM_RND|SHM_REMAP).
[1] lkml.kernel.org/r/20180430172152.nfa564pvgpk3ut7p@linux-n805
This patch (of 2):
Commit 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection") worked on the idea that we should not be mapping as root addr=0 and MAP_FIXED. However, it was reported that this scenario is in fact valid, thus making the patch both bogus and breaks userspace as well.
For example X11's libint10.so relies on shmat(1, SHM_RND) for lowmem initialization[1].
[1] https://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/os-support/linux/i... Link: http://lkml.kernel.org/r/20180503203243.15045-2-dave@stgolabs.net Fixes: 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection") Signed-off-by: Davidlohr Bueso dbueso@suse.de Reported-by: Joe Lawrence joe.lawrence@redhat.com Reported-by: Andrea Arcangeli aarcange@redhat.com Cc: Manfred Spraul manfred@colorfullife.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- ipc/shm.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-)
--- a/ipc/shm.c +++ b/ipc/shm.c @@ -1112,13 +1112,8 @@ long do_shmat(int shmid, char __user *sh goto out; else if ((addr = (ulong)shmaddr)) { if (addr & (shmlba - 1)) { - /* - * Round down to the nearest multiple of shmlba. - * For sane do_mmap_pgoff() parameters, avoid - * round downs that trigger nil-page and MAP_FIXED. - */ - if ((shmflg & SHM_RND) && addr >= shmlba) - addr &= ~(shmlba - 1); + if (shmflg & SHM_RND) + addr &= ~(shmlba - 1); /* round down */ else #ifndef __ARCH_FORCE_SHMLBA if (addr & ~PAGE_MASK)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro viro@zeniv.linux.org.uk
commit c66b23c2840446a82c389e4cb1a12eb2a71fa2e4 upstream.
jffs2_fill_super() might fail to allocate jffs2_sb_info; jffs2_kill_sb() must survive that.
Signed-off-by: Al Viro viro@zeniv.linux.org.uk [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/jffs2/super.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/jffs2/super.c +++ b/fs/jffs2/super.c @@ -345,7 +345,7 @@ static void jffs2_put_super (struct supe static void jffs2_kill_sb(struct super_block *sb) { struct jffs2_sb_info *c = JFFS2_SB_INFO(sb); - if (!(sb->s_flags & MS_RDONLY)) + if (c && !(sb->s_flags & MS_RDONLY)) jffs2_stop_garbage_collect_thread(c); kill_mtd_super(sb); kfree(c);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vasily Gorbik gor@linux.ibm.com
commit 15deb080a6087b73089139569558965750e69d67 upstream.
When loadparm is set in reipl parm block, the kernel should also set DIAG308_FLAGS_LP_VALID flag.
This fixes loadparm ignoring during z/VM fcp -> ccw reipl and kvm direct boot -> ccw reipl.
Reviewed-by: Heiko Carstens heiko.carstens@de.ibm.com Signed-off-by: Vasily Gorbik gor@linux.ibm.com Signed-off-by: Martin Schwidefsky schwidefsky@de.ibm.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/s390/kernel/ipl.c | 1 + 1 file changed, 1 insertion(+)
--- a/arch/s390/kernel/ipl.c +++ b/arch/s390/kernel/ipl.c @@ -825,6 +825,7 @@ static ssize_t reipl_generic_loadparm_st /* copy and convert to ebcdic */ memcpy(ipb->ipl_info.ccw.load_parm, buf, lp_len); ASCEBC(ipb->ipl_info.ccw.load_parm, LOADPARM_LEN); + ipb->hdr.flags |= DIAG308_FLAGS_LP_VALID; return len; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Markus Elfring elfring@users.sourceforge.net
commit f9815f945aff2204b8afbbb9d2182024eb44a194 upstream.
Replace an error code for the indication of a memory allocation failure in this function.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2: Initial git repository build") Suggested-by: Rolf Eike Beer eike-kernel@sf-tec.de Signed-off-by: Markus Elfring elfring@users.sourceforge.net Cc: Helge Deller deller@gmx.de Cc: "James E. J. Bottomley" jejb@parisc-linux.org Signed-off-by: Bartlomiej Zolnierkiewicz b.zolnierkie@samsung.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/video/fbdev/stifb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/stifb.c +++ b/drivers/video/fbdev/stifb.c @@ -1091,7 +1091,7 @@ static int __init stifb_init_fb(struct s fb = kzalloc(sizeof(*fb), GFP_ATOMIC); if (!fb) { printk(KERN_ERR "stifb: Could not allocate stifb structure\n"); - return -ENODEV; + return -ENOMEM; } info = &fb->info;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet edumazet@google.com
commit 6091f09c2f79730d895149bcfe3d66140288cd0e upstream.
syzbot reported :
BUG: KMSAN: uninit-value in ffs arch/x86/include/asm/bitops.h:432 [inline] BUG: KMSAN: uninit-value in netlink_sendmsg+0xb26/0x1310 net/netlink/af_netlink.c:1851
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet edumazet@google.com Reported-by: syzbot syzkaller@googlegroups.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/netlink/af_netlink.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1658,6 +1658,8 @@ static int netlink_sendmsg(struct kiocb
if (msg->msg_namelen) { err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_nl)) + goto out; if (addr->nl_family != AF_NETLINK) goto out; dst_portid = addr->nl_pid;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kai-Heng Feng kai.heng.feng@canonical.com
commit afb133637071be6deeb8b3d0e55593ffbf63c527 upstream.
The sky2 ethernet stops working after system resume from suspend: [ 582.852065] sky2 0000:04:00.0: Refused to change power state, currently in D3
The current 150ms delay is not enough, change it to 200ms can solve the issue.
BugLink: https://bugs.launchpad.net/bugs/1758507 Signed-off-by: Kai-Heng Feng kai.heng.feng@canonical.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ethernet/marvell/sky2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/marvell/sky2.c +++ b/drivers/net/ethernet/marvell/sky2.c @@ -5070,7 +5070,7 @@ static int sky2_probe(struct pci_dev *pd INIT_WORK(&hw->restart_work, sky2_restart);
pci_set_drvdata(pdev, hw); - pdev->d3_delay = 150; + pdev->d3_delay = 200;
return 0;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault g.nault@alphalink.fr
commit a49e2f5d5fb141884452ddb428f551b123d436b5 upstream.
We must validate sockaddr_len, otherwise userspace can pass fewer data than we expect and we end up accessing invalid data.
Fixes: 224cf5ad14c0 ("ppp: Move the PPP drivers") Reported-by: syzbot+4f03bdf92fdf9ef5ddab@syzkaller.appspotmail.com Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ppp/pppoe.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/net/ppp/pppoe.c +++ b/drivers/net/ppp/pppoe.c @@ -615,6 +615,10 @@ static int pppoe_connect(struct socket * lock_sock(sk);
error = -EINVAL; + + if (sockaddr_len != sizeof(struct sockaddr_pppox)) + goto end; + if (sp->sa_protocol != PX_PROTO_OE) goto end;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Long Li longli@microsoft.com
commit 2796d303e3c5ec213c578ed3a66872205c126eb8 upstream.
The data buffer allocated on the stack can't be DMA'ed, ib_dma_map_page will return an invalid DMA address for a buffer on stack. Even worse, this incorrect address can't be detected by ib_dma_mapping_error. Sending data from this address to hardware will not fail, but the remote peer will get junk data.
Fix this by allocating the request on the heap in smb3_validate_negotiate.
Changes in v2: Removed duplicated code on freeing buffers on function exit. (Thanks to Parav Pandit parav@mellanox.com) Fixed typo in the patch title.
Changes in v3: Added "Fixes" to the patch. Changed several sizeof() to use *pointer in place of struct.
Changes in v4: Added detailed comments on the failure through RDMA. Allocate request buffer using GPF_NOFS. Fixed possible memory leak.
Changes in v5: Removed variable ret for checking return value. Changed to use pneg_inbuf->Dialects[0] to calculate unused space in pneg_inbuf.
Fixes: ff1c038addc4 ("Check SMB3 dialects against downgrade attacks") Signed-off-by: Long Li longli@microsoft.com Signed-off-by: Steve French stfrench@microsoft.com Reviewed-by: Ronnie Sahlberg lsahlber@redhat.com Reviewed-by: Tom Talpey ttalpey@microsoft.com [bwh: Backported to 3.16: We only ever pass one dialect] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/cifs/smb2pdu.c | 68 ++++++++++++++++++++++++++--------------------- 1 file changed, 38 insertions(+), 30 deletions(-)
--- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -477,8 +477,8 @@ neg_exit:
int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) { - int rc = 0; - struct validate_negotiate_info_req vneg_inbuf; + int rc; + struct validate_negotiate_info_req *pneg_inbuf; struct validate_negotiate_info_rsp *pneg_rsp = NULL; u32 rsplen;
@@ -502,42 +502,47 @@ int smb3_validate_negotiate(const unsign if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL) cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n");
- vneg_inbuf.Capabilities = + pneg_inbuf = kmalloc(sizeof(*pneg_inbuf), GFP_NOFS); + if (!pneg_inbuf) + return -ENOMEM; + + pneg_inbuf->Capabilities = cpu_to_le32(tcon->ses->server->vals->req_capabilities); - memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid, + memcpy(pneg_inbuf->Guid, tcon->ses->server->client_guid, SMB2_CLIENT_GUID_SIZE);
if (tcon->ses->sign) - vneg_inbuf.SecurityMode = + pneg_inbuf->SecurityMode = cpu_to_le16(SMB2_NEGOTIATE_SIGNING_REQUIRED); else if (global_secflags & CIFSSEC_MAY_SIGN) - vneg_inbuf.SecurityMode = + pneg_inbuf->SecurityMode = cpu_to_le16(SMB2_NEGOTIATE_SIGNING_ENABLED); else - vneg_inbuf.SecurityMode = 0; + pneg_inbuf->SecurityMode = 0;
- vneg_inbuf.DialectCount = cpu_to_le16(1); - vneg_inbuf.Dialects[0] = + pneg_inbuf->DialectCount = cpu_to_le16(1); + pneg_inbuf->Dialects[0] = cpu_to_le16(tcon->ses->server->vals->protocol_id);
rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID, FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */, - (char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req), + (char *)pneg_inbuf, sizeof(struct validate_negotiate_info_req), (char **)&pneg_rsp, &rsplen);
if (rc != 0) { cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc); - return -EIO; + rc = -EIO; + goto out_free_inbuf; }
- if (rsplen != sizeof(struct validate_negotiate_info_rsp)) { + rc = -EIO; + if (rsplen != sizeof(*pneg_rsp)) { cifs_dbg(VFS, "invalid protocol negotiate response size: %d\n", rsplen);
/* relax check since Mac returns max bufsize allowed on ioctl */ - if ((rsplen > CIFSMaxBufSize) - || (rsplen < sizeof(struct validate_negotiate_info_rsp))) - goto err_rsp_free; + if (rsplen > CIFSMaxBufSize || rsplen < sizeof(*pneg_rsp)) + goto out_free_rsp; }
/* check validate negotiate info response matches what we got earlier */ @@ -554,15 +559,17 @@ int smb3_validate_negotiate(const unsign goto vneg_out;
/* validate negotiate successful */ + rc = 0; cifs_dbg(FYI, "validate negotiate info successful\n"); - kfree(pneg_rsp); - return 0; + goto out_free_rsp;
vneg_out: cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n"); -err_rsp_free: +out_free_rsp: kfree(pneg_rsp); - return -EIO; +out_free_inbuf: + kfree(pneg_inbuf); + return rc; }
int
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shuah Khan shuahkh@osg.samsung.com
commit 9020a7efe537856eb3e826ebebdf38a5d07a7857 upstream.
vhci_hcd fails to do reset to put usb device and sockfd in the module remove/stop paths. Fix the leak.
Signed-off-by: Shuah Khan shuahkh@osg.samsung.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/staging/usbip/usbip_common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/usbip/usbip_common.h +++ b/drivers/staging/usbip/usbip_common.h @@ -248,7 +248,7 @@ enum usbip_side { #define SDEV_EVENT_ERROR_SUBMIT (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) #define SDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE)
-#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_BYE) +#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_RESET | USBIP_EH_BYE) #define VDEV_EVENT_DOWN (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) #define VDEV_EVENT_ERROR_TCP (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) #define VDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Rivas Costa rodrigorivascosta@gmail.com
commit a955358d54695e4ad9f7d6489a7ac4d69a8fc711 upstream.
Doing `ioctl(HIDIOCGFEATURE)` in a tight loop on a hidraw device and then disconnecting the device, or unloading the driver, can cause a NULL pointer dereference.
When a hidraw device is destroyed it sets 0 to `dev->exist`. Most functions check 'dev->exist' before doing its work, but `hidraw_get_report()` was missing that check.
Signed-off-by: Rodrigo Rivas Costa rodrigorivascosta@gmail.com Signed-off-by: Jiri Kosina jkosina@suse.cz Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hid/hidraw.c | 5 +++++ 1 file changed, 5 insertions(+)
--- a/drivers/hid/hidraw.c +++ b/drivers/hid/hidraw.c @@ -197,6 +197,11 @@ static ssize_t hidraw_get_report(struct int ret = 0, len; unsigned char report_number;
+ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { + ret = -ENODEV; + goto out; + } + dev = hidraw_table[minor]->hid;
if (!dev->ll_driver->raw_request) {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 7f054a5bee0987f1e2d4e59daea462421c76f2cb upstream.
As recently Smatch suggested, one place in OPL3 driver may expand the array directly from the user-space value with speculation: sound/drivers/opl3/opl3_synth.c:476 snd_opl3_set_voice() warn: potential spectre issue 'snd_opl3_regmap'
This patch puts array_index_nospec() for hardening against it.
BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2 Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/drivers/opl3/opl3_synth.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
--- a/sound/drivers/opl3/opl3_synth.c +++ b/sound/drivers/opl3/opl3_synth.c @@ -21,6 +21,7 @@
#include <linux/slab.h> #include <linux/export.h> +#include <linux/nospec.h> #include <sound/opl3.h> #include <sound/asound_fm.h>
@@ -448,7 +449,7 @@ static int snd_opl3_set_voice(struct snd { unsigned short reg_side; unsigned char op_offset; - unsigned char voice_offset; + unsigned char voice_offset, voice_op;
unsigned short opl3_reg; unsigned char reg_val; @@ -473,7 +474,9 @@ static int snd_opl3_set_voice(struct snd voice_offset = voice->voice - MAX_OPL2_VOICES; } /* Get register offset of operator */ - op_offset = snd_opl3_regmap[voice_offset][voice->op]; + voice_offset = array_index_nospec(voice_offset, MAX_OPL2_VOICES); + voice_op = array_index_nospec(voice->op, 4); + op_offset = snd_opl3_regmap[voice_offset][voice_op];
reg_val = 0x00; /* Set amplitude modulation (tremolo) effect */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Redfearn matt.redfearn@mips.com
commit b3d7e55c3f886493235bfee08e1e5a4a27cbcce8 upstream.
The micromips implementation of bzero additionally clobbers registers t7 & t8. Specify this in the clobbers list when invoking bzero.
Fixes: 26c5e07d1478 ("MIPS: microMIPS: Optimise 'memset' core library function.") Reported-by: James Hogan jhogan@kernel.org Signed-off-by: Matt Redfearn matt.redfearn@mips.com Cc: Ralf Baechle ralf@linux-mips.org Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/19110/ Signed-off-by: James Hogan jhogan@kernel.org [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/mips/include/asm/uaccess.h | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)
--- a/arch/mips/include/asm/uaccess.h +++ b/arch/mips/include/asm/uaccess.h @@ -1210,6 +1210,13 @@ __clear_user(void __user *addr, __kernel { __kernel_size_t res;
+#ifdef CONFIG_CPU_MICROMIPS +/* micromips memset / bzero also clobbers t7 & t8 */ +#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$15", "$24", "$31" +#else +#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$31" +#endif /* CONFIG_CPU_MICROMIPS */ + if (config_enabled(CONFIG_EVA) && segment_eq(get_fs(), get_ds())) { __asm__ __volatile__( "move\t$4, %1\n\t" @@ -1219,7 +1226,7 @@ __clear_user(void __user *addr, __kernel "move\t%0, $6" : "=r" (res) : "r" (addr), "r" (size) - : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"); + : bzero_clobbers); } else { might_fault(); __asm__ __volatile__( @@ -1230,7 +1237,7 @@ __clear_user(void __user *addr, __kernel "move\t%0, $6" : "=r" (res) : "r" (addr), "r" (size) - : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"); + : bzero_clobbers); }
return res;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Rosin peda@axentia.se
commit 12d9bbc5a7f347eaa65ff2a9d34995cadc05eb1b upstream.
Returning -1 (-EPERM) is not appropriate here, go with -EIO.
Signed-off-by: Peter Rosin peda@axentia.se Signed-off-by: Wolfram Sang wsa@the-dreams.de Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver") Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/i2c/busses/i2c-pmcmsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-pmcmsp.c +++ b/drivers/i2c/busses/i2c-pmcmsp.c @@ -596,7 +596,7 @@ static int pmcmsptwi_master_xfer(struct * TODO: We could potentially loop and retry in the case * of MSP_TWI_XFER_TIMEOUT. */ - return -1; + return -EIO; }
return num;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vasyl Vavrychuk vvavrychuk@gmail.com
commit 470b5d6f0cf4674be2d1ec94e54283a1770b6a1a upstream.
Arrow USB Blaster integrated on MAX1000 board uses the same vendor ID (0x0403) and product ID (0x6010) as the "original" FTDI device.
This patch avoids picking up by ftdi_sio of the first interface of this USB device. After that this device can be used by Arrow user-space JTAG driver.
Signed-off-by: Vasyl Vavrychuk vvavrychuk@gmail.com Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/serial/ftdi_sio.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/ftdi_sio.c +++ b/drivers/usb/serial/ftdi_sio.c @@ -1929,7 +1929,8 @@ static int ftdi_8u2232c_probe(struct usb return ftdi_jtag_probe(serial);
if (udev->product && - (!strcmp(udev->product, "BeagleBone/XDS100V2") || + (!strcmp(udev->product, "Arrow USB Blaster") || + !strcmp(udev->product, "BeagleBone/XDS100V2") || !strcmp(udev->product, "SNAP Connect E10"))) return ftdi_jtag_probe(serial);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: piaojun piaojun@huawei.com
commit 60c7ec9ee4a3410c2cb08850102d363c7e207f48 upstream.
Wait for dlm recovery done when migrating all lock resources in case that new lock resource left after leaving dlm domain. And the left lock resource will cause other nodes BUG.
NodeA NodeB NodeC
umount: dlm_unregister_domain() dlm_migrate_all_locks()
NodeB down
do recovery for NodeB and collect a new lockres form other live nodes:
dlm_do_recovery dlm_remaster_locks dlm_request_all_locks:
dlm_mig_lockres_handler dlm_new_lockres __dlm_insert_lockres
at last NodeA become the master of the new lockres and leave domain: dlm_leave_domain()
mount: dlm_join_domain()
touch file and request for the owner of the new lockres, but all the other nodes said 'NO', so NodeC decide to be the owner, and send do assert msg to other nodes: dlmlock() dlm_get_lock_resource() dlm_do_assert_master()
other nodes receive the msg and found two masters exist. at last cause BUG in dlm_assert_master_handler() -->BUG();
Link: http://lkml.kernel.org/r/5AAA6E25.7090303@huawei.com Fixes: bc9838c4d44a ("dlm: allow dlm do recovery during shutdown") Signed-off-by: Jun Piao piaojun@huawei.com Reviewed-by: Alex Chen alex.chen@huawei.com Reviewed-by: Yiwen Jiang jiangyiwen@huawei.com Acked-by: Joseph Qi jiangqi903@gmail.com Cc: Mark Fasheh mark@fasheh.com Cc: Joel Becker jlbec@evilplan.org Cc: Junxiao Bi junxiao.bi@oracle.com Cc: Changwei Ge ge.changwei@h3c.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/ocfs2/dlm/dlmcommon.h | 1 + fs/ocfs2/dlm/dlmdomain.c | 15 +++++++++++++++ fs/ocfs2/dlm/dlmrecovery.c | 13 ++++++++++--- 3 files changed, 26 insertions(+), 3 deletions(-)
--- a/fs/ocfs2/dlm/dlmcommon.h +++ b/fs/ocfs2/dlm/dlmcommon.h @@ -140,6 +140,7 @@ struct dlm_ctxt u8 node_num; u32 key; u8 joining_node; + u8 migrate_done; /* set to 1 means node has migrated all lock resources */ wait_queue_head_t dlm_join_events; unsigned long live_nodes_map[BITS_TO_LONGS(O2NM_MAX_NODES)]; unsigned long domain_map[BITS_TO_LONGS(O2NM_MAX_NODES)]; --- a/fs/ocfs2/dlm/dlmdomain.c +++ b/fs/ocfs2/dlm/dlmdomain.c @@ -460,6 +460,19 @@ redo_bucket: cond_resched_lock(&dlm->spinlock); num += n; } + + if (!num) { + if (dlm->reco.state & DLM_RECO_STATE_ACTIVE) { + mlog(0, "%s: perhaps there are more lock resources " + "need to be migrated after dlm recovery\n", dlm->name); + ret = -EAGAIN; + } else { + mlog(0, "%s: we won't do dlm recovery after migrating " + "all lock resources\n", dlm->name); + dlm->migrate_done = 1; + } + } + spin_unlock(&dlm->spinlock); wake_up(&dlm->dlm_thread_wq);
@@ -2063,6 +2076,8 @@ static struct dlm_ctxt *dlm_alloc_ctxt(c dlm->joining_node = DLM_LOCK_RES_OWNER_UNKNOWN; init_waitqueue_head(&dlm->dlm_join_events);
+ dlm->migrate_done = 0; + dlm->reco.new_master = O2NM_INVALID_NODE_NUM; dlm->reco.dead_node = O2NM_INVALID_NODE_NUM;
--- a/fs/ocfs2/dlm/dlmrecovery.c +++ b/fs/ocfs2/dlm/dlmrecovery.c @@ -423,12 +423,11 @@ void dlm_wait_for_recovery(struct dlm_ct
static void dlm_begin_recovery(struct dlm_ctxt *dlm) { - spin_lock(&dlm->spinlock); + assert_spin_locked(&dlm->spinlock); BUG_ON(dlm->reco.state & DLM_RECO_STATE_ACTIVE); printk(KERN_NOTICE "o2dlm: Begin recovery on domain %s for node %u\n", dlm->name, dlm->reco.dead_node); dlm->reco.state |= DLM_RECO_STATE_ACTIVE; - spin_unlock(&dlm->spinlock); }
static void dlm_end_recovery(struct dlm_ctxt *dlm) @@ -456,6 +455,13 @@ static int dlm_do_recovery(struct dlm_ct
spin_lock(&dlm->spinlock);
+ if (dlm->migrate_done) { + mlog(0, "%s: no need do recovery after migrating all " + "lock resources\n", dlm->name); + spin_unlock(&dlm->spinlock); + return 0; + } + /* check to see if the new master has died */ if (dlm->reco.new_master != O2NM_INVALID_NODE_NUM && test_bit(dlm->reco.new_master, dlm->recovery_map)) { @@ -490,12 +496,13 @@ static int dlm_do_recovery(struct dlm_ct mlog(0, "%s(%d):recovery thread found node %u in the recovery map!\n", dlm->name, task_pid_nr(dlm->dlm_reco_thread_task), dlm->reco.dead_node); - spin_unlock(&dlm->spinlock);
/* take write barrier */ /* (stops the list reshuffling thread, proxy ast handling) */ dlm_begin_recovery(dlm);
+ spin_unlock(&dlm->spinlock); + if (dlm->reco.new_master == dlm->node_num) goto master_here;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings ben@decadent.org.uk
register_netdevice() will call the device's ndo_uninit operation if registration fails after it calls the ndo_init operation. However ppp_dev_uninit() uses ppp->ppp_net which is currently not set until after register_netdevice() returns.
This was fixed upstream as part of commit 6d934c70db6e "ppp: add rtnetlink device creation support".
Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -2732,6 +2732,7 @@ static struct ppp *ppp_create_interface(
ppp = netdev_priv(dev); ppp->dev = dev; + ppp->ppp_net = net; ppp->mru = PPP_MRU; init_ppp_file(&ppp->file, INTERFACE); ppp->file.hdrlen = PPP_HDRLEN - 2; /* don't count proto bytes */ @@ -2801,8 +2802,6 @@ static struct ppp *ppp_create_interface( goto out2; }
- ppp->ppp_net = net; - atomic_inc(&ppp_unit_count); mutex_unlock(&pn->all_ppp_mutex); rtnl_unlock();
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peng Hao peng.hao2@zte.com.cn
commit 3140c156e919b0f5fad5c5f6cf7876c39d1d4f06 upstream.
fix a "warning: no previous prototype".
Signed-off-by: Peng Hao peng.hao2@zte.com.cn Signed-off-by: Paolo Bonzini pbonzini@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/kvm/x86.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -6640,7 +6640,7 @@ int kvm_task_switch(struct kvm_vcpu *vcp } EXPORT_SYMBOL_GPL(kvm_task_switch);
-int kvm_valid_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs) +static int kvm_valid_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs) { if ((sregs->efer & EFER_LME) && (sregs->cr0 & X86_CR0_PG)) { /*
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann jwi@linux.ibm.com
commit 2e68adcd2fb21b7188ba449f0fab3bee2910e500 upstream.
Calling qdio_release_memory() on error is just plain wrong. It frees the main qdio_irq struct, when following code still uses it.
Also, no other error path in qdio_establish() does this. So trust callers to clean up via qdio_free() if some step of the QDIO initialization fails.
Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.") Signed-off-by: Julian Wiedmann jwi@linux.ibm.com Signed-off-by: Martin Schwidefsky schwidefsky@de.ibm.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/s390/cio/qdio_setup.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-)
--- a/drivers/s390/cio/qdio_setup.c +++ b/drivers/s390/cio/qdio_setup.c @@ -406,7 +406,6 @@ int qdio_setup_irq(struct qdio_initializ { struct ciw *ciw; struct qdio_irq *irq_ptr = init_data->cdev->private->qdio_data; - int rc;
memset(&irq_ptr->qib, 0, sizeof(irq_ptr->qib)); memset(&irq_ptr->siga_flag, 0, sizeof(irq_ptr->siga_flag)); @@ -443,16 +442,14 @@ int qdio_setup_irq(struct qdio_initializ ciw = ccw_device_get_ciw(init_data->cdev, CIW_TYPE_EQUEUE); if (!ciw) { DBF_ERROR("%4x NO EQ", irq_ptr->schid.sch_no); - rc = -EINVAL; - goto out_err; + return -EINVAL; } irq_ptr->equeue = *ciw;
ciw = ccw_device_get_ciw(init_data->cdev, CIW_TYPE_AQUEUE); if (!ciw) { DBF_ERROR("%4x NO AQ", irq_ptr->schid.sch_no); - rc = -EINVAL; - goto out_err; + return -EINVAL; } irq_ptr->aqueue = *ciw;
@@ -460,9 +457,6 @@ int qdio_setup_irq(struct qdio_initializ irq_ptr->orig_handler = init_data->cdev->handler; init_data->cdev->handler = qdio_int_handler; return 0; -out_err: - qdio_release_memory(irq_ptr); - return rc; }
void qdio_print_subchannel_info(struct qdio_irq *irq_ptr,
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ellerman mpe@ellerman.id.au
commit b8858581febb050688e276b956796bc4a78299ed upstream.
When we patch an alternate feature section, we have to adjust any relative branches that branch out of the alternate section.
But currently we have a bug if we have a branch that points to past the last instruction of the alternate section, eg:
FTR_SECTION_ELSE 1: b 2f or 6,6,6 2: ALT_FTR_SECTION_END(...) nop
This will result in a relative branch at 1 with a target that equals the end of the alternate section.
That branch does not need adjusting when it's moved to the non-else location. Currently we do adjust it, resulting in a branch that goes off into the link-time location of the else section, which is junk.
The fix is to not patch branches that have a target == end of the alternate section.
Fixes: d20fe50a7b3c ("KVM: PPC: Book3S HV: Branch inside feature section") Fixes: 9b1a735de64c ("powerpc: Add logic to patch alternative feature sections") Signed-off-by: Michael Ellerman mpe@ellerman.id.au Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/powerpc/lib/feature-fixups.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/lib/feature-fixups.c +++ b/arch/powerpc/lib/feature-fixups.c @@ -52,7 +52,7 @@ static int patch_alt_instruction(unsigne unsigned int *target = (unsigned int *)branch_target(src);
/* Branch within the section doesn't need translating */ - if (target < alt_start || target >= alt_end) { + if (target < alt_start || target > alt_end) { instr = translate_branch(dest, src); if (!instr) return 1;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann jwi@linux.ibm.com
commit e521813468f786271a87e78e8644243bead48fad upstream.
Ever since CQ/QAOB support was added, calling qdio_free() straight after qdio_alloc() results in qdio_release_memory() accessing uninitialized memory (ie. q->u.out.use_cq and q->u.out.aobs). Followed by a kmem_cache_free() on the random AOB addresses.
For older kernels that don't have 6e30c549f6ca, the same applies if qdio_establish() fails in the DEV_STATE_ONLINE check.
While initializing q->u.out.use_cq would be enough to fix this particular bug, the more future-proof change is to just zero-alloc the whole struct.
Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks") Signed-off-by: Julian Wiedmann jwi@linux.ibm.com Signed-off-by: Martin Schwidefsky schwidefsky@de.ibm.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/s390/cio/qdio_setup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/s390/cio/qdio_setup.c +++ b/drivers/s390/cio/qdio_setup.c @@ -90,7 +90,7 @@ static int __qdio_allocate_qs(struct qdi int i;
for (i = 0; i < nr_queues; i++) { - q = kmem_cache_alloc(qdio_q_cache, GFP_KERNEL); + q = kmem_cache_zalloc(qdio_q_cache, GFP_KERNEL); if (!q) return -ENOMEM;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 60bb83b81169820c691fbfa33a6a4aef32aa4b0b upstream.
We've got a bug report indicating a kernel panic at booting on an x86-32 system, and it turned out to be the invalid PCI resource assigned after reallocation. __find_resource() first aligns the resource start address and resets the end address with start+size-1 accordingly, then checks whether it's contained. Here the end address may overflow the integer, although resource_contains() still returns true because the function validates only start and end address. So this ends up with returning an invalid resource (start > end).
There was already an attempt to cover such a problem in the commit 47ea91b4052d ("Resource: fix wrong resource window calculation"), but this case is an overseen one.
This patch adds the validity check of the newly calculated resource for avoiding the integer overflow problem.
Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1086739 Link: http://lkml.kernel.org/r/s5hpo37d5l8.wl-tiwai@suse.de Fixes: 23c570a67448 ("resource: ability to resize an allocated resource") Signed-off-by: Takashi Iwai tiwai@suse.de Reported-by: Michael Henders hendersm@shaw.ca Tested-by: Michael Henders hendersm@shaw.ca Reviewed-by: Andrew Morton akpm@linux-foundation.org Cc: Ram Pai linuxram@us.ibm.com Cc: Bjorn Helgaas bhelgaas@google.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/resource.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/resource.c +++ b/kernel/resource.c @@ -474,7 +474,8 @@ static int __find_resource(struct resour alloc.start = constraint->alignf(constraint->alignf_data, &avail, size, constraint->align); alloc.end = alloc.start + size - 1; - if (resource_contains(&avail, &alloc)) { + if (alloc.start <= alloc.end && + resource_contains(&avail, &alloc)) { new->start = alloc.start; new->end = alloc.end; return 0;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal fw@strlen.de
commit 569ccae68b38654f04b6842b034aa33857f605fe upstream.
rules in nftables a free'd using kfree, but protected by rcu, i.e. we must wait for a grace period to elapse.
Normal removal patch does this, but nf_tables_newrule() doesn't obey this rule during error handling.
It calls nft_trans_rule_add() *after* linking rule, and, if that fails to allocate memory, it unlinks the rule and then kfree() it -- this is unsafe.
Switch order -- first add rule to transaction list, THEN link it to public list.
Note: nft_trans_rule_add() uses GFP_KERNEL; it will not fail so this is not a problem in practice (spotted only during code review).
Fixes: 0628b123c96d12 ("netfilter: nfnetlink: add batch support and use it from nf_tables") Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org [bwh: Backported to 3.16: Some function names are different] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/netfilter/nf_tables_api.c | 59 +++++++++++++++++++---------------- 1 file changed, 32 insertions(+), 27 deletions(-)
--- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1829,41 +1829,46 @@ static int nf_tables_newrule(struct sock }
if (nlh->nlmsg_flags & NLM_F_REPLACE) { - if (nft_rule_is_active_next(net, old_rule)) { - trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE, - old_rule); - if (trans == NULL) { - err = -ENOMEM; - goto err2; - } - nft_rule_disactivate_next(net, old_rule); - chain->use--; - list_add_tail_rcu(&rule->list, &old_rule->list); - } else { + if (!nft_rule_is_active_next(net, old_rule)) { err = -ENOENT; goto err2; } - } else if (nlh->nlmsg_flags & NLM_F_APPEND) - if (old_rule) - list_add_rcu(&rule->list, &old_rule->list); - else - list_add_tail_rcu(&rule->list, &chain->rules); - else { - if (old_rule) - list_add_tail_rcu(&rule->list, &old_rule->list); - else - list_add_rcu(&rule->list, &chain->rules); - } + trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE, + old_rule); + if (trans == NULL) { + err = -ENOMEM; + goto err2; + } + nft_rule_disactivate_next(net, old_rule); + chain->use--; + + if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) { + err = -ENOMEM; + goto err2; + }
- if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) { - err = -ENOMEM; - goto err3; + list_add_tail_rcu(&rule->list, &old_rule->list); + } else { + if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) { + err = -ENOMEM; + goto err2; + } + + if (nlh->nlmsg_flags & NLM_F_APPEND) { + if (old_rule) + list_add_rcu(&rule->list, &old_rule->list); + else + list_add_tail_rcu(&rule->list, &chain->rules); + } else { + if (old_rule) + list_add_tail_rcu(&rule->list, &old_rule->list); + else + list_add_rcu(&rule->list, &chain->rules); + } } chain->use++; return 0;
-err3: - list_del_rcu(&rule->list); err2: nf_tables_rule_destroy(&ctx, rule); err1:
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet edumazet@google.com
commit aa8f8778493c85fff480cdf8b349b1e1dcb5f243 upstream.
KMSAN reported use of uninit-value that I tracked to lack of proper size check on RTA_TABLE attribute.
I also believe RTA_PREFSRC lacks a similar check.
Fixes: 86872cb57925 ("[IPv6] route: FIB6 configuration using struct fib6_config") Fixes: c3968a857a6b ("ipv6: RTA_PREFSRC support for ipv6 route source address selection") Signed-off-by: Eric Dumazet edumazet@google.com Reported-by: syzbot syzkaller@googlegroups.com Acked-by: David Ahern dsahern@gmail.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/ipv6/route.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -2344,11 +2344,13 @@ void rt6_mtu_change(struct net_device *d
static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = { [RTA_GATEWAY] = { .len = sizeof(struct in6_addr) }, + [RTA_PREFSRC] = { .len = sizeof(struct in6_addr) }, [RTA_OIF] = { .type = NLA_U32 }, [RTA_IIF] = { .type = NLA_U32 }, [RTA_PRIORITY] = { .type = NLA_U32 }, [RTA_METRICS] = { .type = NLA_NESTED }, [RTA_MULTIPATH] = { .len = sizeof(struct rtnexthop) }, + [RTA_TABLE] = { .type = NLA_U32 }, };
static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger richard@nod.at
commit b5094b7f135be34630e3ea8a98fa215715d0f29d upstream.
While UBI and UBIFS seem to work at first sight with MLC NAND, you will most likely lose all your data upon a power-cut or due to read/write disturb. In order to protect users from bad surprises, refuse to attach to MLC NAND.
Signed-off-by: Richard Weinberger richard@nod.at Acked-by: Boris Brezillon boris.brezillon@bootlin.com Acked-by: Artem Bityutskiy dedekind1@gmail.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/mtd/ubi/build.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
--- a/drivers/mtd/ubi/build.c +++ b/drivers/mtd/ubi/build.c @@ -905,6 +905,17 @@ int ubi_attach_mtd_dev(struct mtd_info * return -EINVAL; }
+ /* + * Both UBI and UBIFS have been designed for SLC NAND and NOR flashes. + * MLC NAND is different and needs special care, otherwise UBI or UBIFS + * will die soon and you will lose all your data. + */ + if (mtd->type == MTD_MLCNANDFLASH) { + pr_err("ubi: refuse attaching mtd%d - MLC NAND is not supported\n", + mtd->index); + return -EINVAL; + } + if (ubi_num == UBI_DEV_NUM_AUTO) { /* Search for an empty slot in the @ubi_devices array */ for (ubi_num = 0; ubi_num < UBI_MAX_DEVICES; ubi_num++)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Dichtel nicolas.dichtel@6wind.com
commit 82612de1c98e610d194e34178bde3cca7dedce41 upstream.
After commit f6cc9c054e77, the following conf is broken (note that the default loopback mtu is 65536, ie IP_MAX_MTU + 1):
$ ip tunnel add gre1 mode gre local 10.125.0.1 remote 10.125.0.2 dev lo add tunnel "gre0" failed: Invalid argument $ ip l a type dummy $ ip l s dummy1 up $ ip l s dummy1 mtu 65535 $ ip tunnel add gre1 mode gre local 10.125.0.1 remote 10.125.0.2 dev dummy1 add tunnel "gre0" failed: Invalid argument
dev_set_mtu() doesn't allow to set a mtu which is too large. First, let's cap the mtu returned by ip_tunnel_bind_dev(). Second, remove the magic value 0xFFF8 and use IP_MAX_MTU instead. 0xFFF8 seems to be there for ages, I don't know why this value was used.
With a recent kernel, it's also possible to set a mtu > IP_MAX_MTU: $ ip l s dummy1 mtu 66000 After that patch, it's also possible to bind an ip tunnel on that kind of interface.
CC: Petr Machata petrm@mellanox.com CC: Ido Schimmel idosch@mellanox.com Link: https://git.kernel.org/pub/scm/linux/kernel/git/davem/netdev-vger-cvs.git/co... Fixes: f6cc9c054e77 ("ip_tunnel: Emit events for post-register MTU changes") Signed-off-by: Nicolas Dichtel nicolas.dichtel@6wind.com Reviewed-by: Ido Schimmel idosch@mellanox.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: - Drop change in ip_tunnel_create() - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c @@ -387,7 +387,7 @@ static int ip_tunnel_bind_dev(struct net
if (tdev) { hlen = tdev->hard_header_len + tdev->needed_headroom; - mtu = tdev->mtu; + mtu = min(tdev->mtu, IP_MAX_MTU); } dev->iflink = tunnel->parms.link;
@@ -851,7 +851,7 @@ int ip_tunnel_change_mtu(struct net_devi int t_hlen = tunnel->hlen + sizeof(struct iphdr);
if (new_mtu < 68 || - new_mtu > 0xFFF8 - dev->hard_header_len - t_hlen) + new_mtu > IP_MAX_MTU - dev->hard_header_len - t_hlen) return -EINVAL; dev->mtu = new_mtu; return 0; @@ -979,7 +979,7 @@ int ip_tunnel_newlink(struct net_device
mtu = ip_tunnel_bind_dev(dev); if (tb[IFLA_MTU]) { - unsigned int max = 0xfff8 - dev->hard_header_len - nt->hlen; + unsigned int max = IP_MAX_MTU - dev->hard_header_len - nt->hlen;
mtu = clamp(dev->mtu, (unsigned int)ETH_MIN_MTU, (unsigned int)(max - sizeof(struct iphdr)));
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter dan.carpenter@oracle.com
commit 8005b09d99fac78e6f5fb9da30b5ae94840af03b upstream.
The current error handling code has an issue where it does:
if (priv->txchan) cpdma_chan_destroy(priv->txchan);
The problem is that ->txchan is either valid or an error pointer (which would lead to an Oops). I've changed it to use multiple error labels so that the test can be removed.
Also there were some missing calls to netif_napi_del().
Fixes: 3ef0fdb2342c ("net: davinci_emac: switch to new cpdma layer") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ethernet/ti/davinci_emac.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-)
--- a/drivers/net/ethernet/ti/davinci_emac.c +++ b/drivers/net/ethernet/ti/davinci_emac.c @@ -1971,7 +1971,7 @@ static int davinci_emac_probe(struct pla if (IS_ERR(priv->txchan)) { dev_err(&pdev->dev, "error initializing tx dma channel\n"); rc = PTR_ERR(priv->txchan); - goto no_cpdma_chan; + goto err_free_dma; }
priv->rxchan = cpdma_chan_create(priv->dma, rx_chan_num(EMAC_DEF_RX_CH), @@ -1979,14 +1979,14 @@ static int davinci_emac_probe(struct pla if (IS_ERR(priv->rxchan)) { dev_err(&pdev->dev, "error initializing rx dma channel\n"); rc = PTR_ERR(priv->rxchan); - goto no_cpdma_chan; + goto err_free_txchan; }
res = platform_get_resource(pdev, IORESOURCE_IRQ, 0); if (!res) { dev_err(&pdev->dev, "error getting irq res\n"); rc = -ENOENT; - goto no_cpdma_chan; + goto err_free_rxchan; } ndev->irq = res->start;
@@ -2008,7 +2008,7 @@ static int davinci_emac_probe(struct pla pm_runtime_put_noidle(&pdev->dev); dev_err(&pdev->dev, "%s: failed to get_sync(%d)\n", __func__, rc); - goto no_cpdma_chan; + goto err_napi_del; }
/* register the network device */ @@ -2018,7 +2018,7 @@ static int davinci_emac_probe(struct pla dev_err(&pdev->dev, "error in register_netdev\n"); rc = -ENODEV; pm_runtime_put(&pdev->dev); - goto no_cpdma_chan; + goto err_napi_del; }
@@ -2031,11 +2031,13 @@ static int davinci_emac_probe(struct pla
return 0;
-no_cpdma_chan: - if (priv->txchan) - cpdma_chan_destroy(priv->txchan); - if (priv->rxchan) - cpdma_chan_destroy(priv->rxchan); +err_napi_del: + netif_napi_del(&priv->napi); +err_free_rxchan: + cpdma_chan_destroy(priv->rxchan); +err_free_txchan: + cpdma_chan_destroy(priv->txchan); +err_free_dma: cpdma_ctlr_destroy(priv->dma); no_pdata: free_netdev(ndev);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo tj@kernel.org
commit 322579dcc865b94b47345ad1b6002ad167f85405 upstream.
Sandisk SSDs SD7SN6S256G and SD8SN8U256G are regularly locking up regularly under sustained moderate load with NCQ enabled. Blacklist for now.
Signed-off-by: Tejun Heo tj@kernel.org Reported-by: Dave Jones davej@codemonkey.org.uk Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/ata/libata-core.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -4187,6 +4187,10 @@ static const struct ata_blacklist_entry /* https://bugzilla.kernel.org/show_bug.cgi?id=15573 */ { "C300-CTFDDAC128MAG", "0001", ATA_HORKAGE_NONCQ, },
+ /* Some Sandisk SSDs lock up hard with NCQ enabled. Reported on + SD7SN6S256G and SD8SN8U256G */ + { "SanDisk SD[78]SN*G", NULL, ATA_HORKAGE_NONCQ, }, + /* devices which puke on READ_NATIVE_MAX */ { "HDS724040KLSA80", "KFAOA20N", ATA_HORKAGE_BROKEN_HPA, }, { "WDC WD3200JD-00KLB0", "WD-WCAMR1130137", ATA_HORKAGE_BROKEN_HPA },
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Borisov nborisov@suse.com
commit d87ff75863e92a500538ab53318c5740f196631e upstream.
As with every function which deals with modifying the btree btrfs_uuid_tree_rem can fail for any number of reasons (ie. EIO/ENOMEM). Handle return error value from this function gracefully by aborting the transaction.
Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree") Signed-off-by: Nikolay Borisov nborisov@suse.com Reviewed-by: David Sterba dsterba@suse.com Signed-off-by: David Sterba dsterba@suse.com [bwh: Backported to 3.16: - btrfs_{abort,end}_transaction() take a pointer to btrfs_root - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -5051,11 +5051,17 @@ static long _btrfs_ioctl_set_received_su received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid, BTRFS_UUID_SIZE); if (received_uuid_changed && - !btrfs_is_empty_uuid(root_item->received_uuid)) - btrfs_uuid_tree_rem(trans, root->fs_info->uuid_root, - root_item->received_uuid, - BTRFS_UUID_KEY_RECEIVED_SUBVOL, - root->root_key.objectid); + !btrfs_is_empty_uuid(root_item->received_uuid)) { + ret = btrfs_uuid_tree_rem(trans, root->fs_info->uuid_root, + root_item->received_uuid, + BTRFS_UUID_KEY_RECEIVED_SUBVOL, + root->root_key.objectid); + if (ret && ret != -ENOENT) { + btrfs_abort_transaction(trans, root, ret); + btrfs_end_transaction(trans, root); + goto out; + } + } memcpy(root_item->received_uuid, sa->uuid, BTRFS_UUID_SIZE); btrfs_set_root_stransid(root_item, sa->stransid); btrfs_set_root_rtransid(root_item, sa->rtransid);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Khoroshilov khoroshilov@ispras.ru
commit fb5c6cfaec126d9a96b9dd471d4711bf4c737a6f upstream.
vmxnet3_set_mc() checks new_table_pa returned by dma_map_single() with dma_mapping_error(), but even there it assumes zero is invalid pa (it assumes dma_mapping_error(...,0) returns true if new_table is NULL).
The patch adds an explicit variable to track status of new_table_pa.
Found by Linux Driver Verification project (linuxtesting.org).
v2: use "bool" and "true"/"false" for boolean variables. Signed-off-by: Alexey Khoroshilov khoroshilov@ispras.ru Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/vmxnet3/vmxnet3_drv.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-)
--- a/drivers/net/vmxnet3/vmxnet3_drv.c +++ b/drivers/net/vmxnet3/vmxnet3_drv.c @@ -2078,6 +2078,7 @@ vmxnet3_set_mc(struct net_device *netdev &adapter->shared->devRead.rxFilterConf; u8 *new_table = NULL; dma_addr_t new_table_pa = 0; + bool new_table_pa_valid = false; u32 new_mode = VMXNET3_RXM_UCAST;
if (netdev->flags & IFF_PROMISC) { @@ -2105,13 +2106,15 @@ vmxnet3_set_mc(struct net_device *netdev new_table, rxConf->mfTableLen, PCI_DMA_TODEVICE); + if (!dma_mapping_error(&adapter->pdev->dev, + new_table_pa)) { + new_mode |= VMXNET3_RXM_MCAST; + new_table_pa_valid = true; + rxConf->mfTablePA = cpu_to_le64( + new_table_pa); + } } - - if (!dma_mapping_error(&adapter->pdev->dev, - new_table_pa)) { - new_mode |= VMXNET3_RXM_MCAST; - rxConf->mfTablePA = cpu_to_le64(new_table_pa); - } else { + if (!new_table_pa_valid) { netdev_info(netdev, "failed to copy mcast list, setting ALL_MULTI\n"); new_mode |= VMXNET3_RXM_ALL_MULTI; @@ -2136,7 +2139,7 @@ vmxnet3_set_mc(struct net_device *netdev VMXNET3_CMD_UPDATE_MAC_FILTERS); spin_unlock_irqrestore(&adapter->cmd_lock, flags);
- if (new_table_pa) + if (new_table_pa_valid) dma_unmap_single(&adapter->pdev->dev, new_table_pa, rxConf->mfTableLen, PCI_DMA_TODEVICE); kfree(new_table);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Ignatov rdna@fb.com
commit 1b97013bfb11d66f041de691de6f0fec748ce016 upstream.
Fix more memory leaks in ip_cmsg_send() callers. Part of them were fixed earlier in 919483096bfe.
* udp_sendmsg one was there since the beginning when linux sources were first added to git; * ping_v4_sendmsg one was copy/pasted in c319b4d76b9e.
Whenever return happens in udp_sendmsg() or ping_v4_sendmsg() IP options have to be freed if they were allocated previously.
Add label so that future callers (if any) can use it instead of kfree() before return that is easy to forget.
Fixes: c319b4d76b9e (net: ipv4: add IPPROTO_ICMP socket kind) Signed-off-by: Andrey Ignatov rdna@fb.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/ipv4/ping.c | 7 +++++-- net/ipv4/udp.c | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-)
--- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -779,8 +779,10 @@ static int ping_v4_sendmsg(struct kiocb ipc.addr = faddr = daddr;
if (ipc.opt && ipc.opt->opt.srr) { - if (!daddr) - return -EINVAL; + if (!daddr) { + err = -EINVAL; + goto out_free; + } faddr = ipc.opt->opt.faddr; } tos = get_rttos(&ipc, inet); @@ -845,6 +847,7 @@ back_from_confirm:
out: ip_rt_put(rt); +out_free: if (free) kfree(ipc.opt); if (!err) { --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -997,8 +997,10 @@ int udp_sendmsg(struct kiocb *iocb, stru ipc.addr = faddr = daddr;
if (ipc.opt && ipc.opt->opt.srr) { - if (!daddr) - return -EINVAL; + if (!daddr) { + err = -EINVAL; + goto out_free; + } faddr = ipc.opt->opt.faddr; connected = 0; } @@ -1103,6 +1105,7 @@ do_append_data:
out: ip_rt_put(rt); +out_free: if (free) kfree(ipc.opt); if (!err)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Federico Cuello fedux@fedux.com.ar
commit 21493316a3c4598f308d5a9fa31cc74639c4caff upstream.
Currently it's not possible to set volume lower than 26% (it just mutes).
Also fixes this warning:
Warning! Unlikely big volume range (=9472), cval->res is probably wrong. [13] FU [PCM Playback Volume] ch = 2, val = -9473/-1/1
, and volume works fine for full range.
Signed-off-by: Federico Cuello fedux@fedux.com.ar Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/usb/mixer.c | 8 ++++++++ 1 file changed, 8 insertions(+)
--- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -885,6 +885,14 @@ static void volume_control_quirks(struct } break;
+ case USB_ID(0x0d8c, 0x0103): + if (!strcmp(kctl->id.name, "PCM Playback Volume")) { + usb_audio_info(chip, + "set volume quirk for CM102-A+/102S+\n"); + cval->min = -256; + } + break; + case USB_ID(0x0471, 0x0101): case USB_ID(0x0471, 0x0104): case USB_ID(0x0471, 0x0105):
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann jwi@linux.ibm.com
commit a936b1ef37ce1e996533878f4b23944f9444dcdf upstream.
Creating the global workqueue during driver init may fail, deal with it. Also, destroy the created workqueue on any subsequent error.
Fixes: 0f54761d167f ("qeth: Support VEPA mode") Signed-off-by: Julian Wiedmann jwi@linux.ibm.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/s390/net/qeth_core_main.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/s390/net/qeth_core_main.c +++ b/drivers/s390/net/qeth_core_main.c @@ -5832,10 +5832,14 @@ static int __init qeth_core_init(void) mutex_init(&qeth_mod_mutex);
qeth_wq = create_singlethread_workqueue("qeth_wq"); + if (!qeth_wq) { + rc = -ENOMEM; + goto out_err; + }
rc = qeth_register_dbf_views(); if (rc) - goto out_err; + goto dbf_err; qeth_core_root_dev = root_device_register("qeth"); rc = PTR_ERR_OR_ZERO(qeth_core_root_dev); if (rc) @@ -5872,6 +5876,8 @@ slab_err: root_device_unregister(qeth_core_root_dev); register_err: qeth_unregister_dbf_views(); +dbf_err: + destroy_workqueue(qeth_wq); out_err: pr_err("Initializing the qeth device driver failed\n"); return rc;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eliot Blennerhassett eliot@blennerhassett.gen.nz
commit 51e6f47dd2e3463dac6f37128fd7b7cb40c500de upstream.
Signed-off-by: Eliot Blennerhassett eliot@blennerhassett.gen.nz Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/pci/asihpi/hpimsginit.c | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-)
--- a/sound/pci/asihpi/hpimsginit.c +++ b/sound/pci/asihpi/hpimsginit.c @@ -1,7 +1,7 @@ /******************************************************************************
AudioScience HPI driver - Copyright (C) 1997-2011 AudioScience Inc. support@audioscience.com + Copyright (C) 1997-2014 AudioScience Inc. support@audioscience.com
This program is free software; you can redistribute it and/or modify it under the terms of version 2 of the GNU General Public License as @@ -37,11 +37,15 @@ static u16 gwSSX2_bypass; static void hpi_init_message(struct hpi_message *phm, u16 object, u16 function) { - memset(phm, 0, sizeof(*phm)); + u16 size; + if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) - phm->size = msg_size[object]; + size = msg_size[object]; else - phm->size = sizeof(*phm); + size = sizeof(*phm); + + memset(phm, 0, size); + phm->size = size;
if (gwSSX2_bypass) phm->type = HPI_TYPE_SSX2BYPASS_MESSAGE; @@ -60,12 +64,16 @@ static void hpi_init_message(struct hpi_ void hpi_init_response(struct hpi_response *phr, u16 object, u16 function, u16 error) { - memset(phr, 0, sizeof(*phr)); - phr->type = HPI_TYPE_RESPONSE; + u16 size; + if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) - phr->size = res_size[object]; + size = res_size[object]; else - phr->size = sizeof(*phr); + size = sizeof(*phr); + + memset(phr, 0, sizeof(*phr)); + phr->size = size; + phr->type = HPI_TYPE_RESPONSE; phr->object = object; phr->function = function; phr->error = error; @@ -86,7 +94,7 @@ void hpi_init_message_response(struct hp static void hpi_init_messageV1(struct hpi_message_header *phm, u16 size, u16 object, u16 function) { - memset(phm, 0, sizeof(*phm)); + memset(phm, 0, size); if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) { phm->size = size; phm->type = HPI_TYPE_REQUEST; @@ -100,7 +108,9 @@ static void hpi_init_messageV1(struct hp void hpi_init_responseV1(struct hpi_response_header *phr, u16 size, u16 object, u16 function) { - memset(phr, 0, sizeof(*phr)); + (void)object; + (void)function; + memset(phr, 0, size); phr->size = size; phr->version = 1; phr->type = HPI_TYPE_RESPONSE;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Redfearn matt.redfearn@mips.com
commit daf70d89f80c6e1772233da9e020114b1254e7e0 upstream.
The __clear_user function is defined to return the number of bytes that could not be cleared. From the underlying memset / bzero implementation this means setting register a2 to that number on return. Currently if a page fault is triggered within the memset_partial block, the value loaded into a2 on return is meaningless.
The label .Lpartial_fixup@ is jumped to on page fault. In order to work out how many bytes failed to copy, the exception handler should find how many bytes left in the partial block (andi a2, STORMASK), add that to the partial block end address (a2), and subtract the faulting address to get the remainder. Currently it incorrectly subtracts the partial block start address (t1), which has additionally been clobbered to generate a jump target in memset_partial. Fix this by adding the block end address instead.
This issue was found with the following test code: int j, k; for (j = 0; j < 512; j++) { if ((k = clear_user(NULL, j)) != j) { pr_err("clear_user (NULL %d) returned %d\n", j, k); } } Which now passes on Creator Ci40 (MIPS32) and Cavium Octeon II (MIPS64).
Suggested-by: James Hogan jhogan@kernel.org Signed-off-by: Matt Redfearn matt.redfearn@mips.com Cc: Ralf Baechle ralf@linux-mips.org Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/19108/ Signed-off-by: James Hogan jhogan@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/mips/lib/memset.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/lib/memset.S +++ b/arch/mips/lib/memset.S @@ -204,7 +204,7 @@ PTR_L t0, TI_TASK($28) andi a2, STORMASK LONG_L t0, THREAD_BUADDR(t0) - LONG_ADDU a2, t1 + LONG_ADDU a2, a0 jr ra LONG_SUBU a2, t0
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro viro@zeniv.linux.org.uk
commit 30da870ce4a4e007c901858a96e9e394a1daa74a upstream.
we unlock the directory hash too early - if we are looking at secondary link and primary (in another directory) gets removed just as we unlock, we could have the old primary moved in place of the secondary, leaving us to look into freed entry (and leaving our dentry with ->d_fsdata pointing to a freed entry).
Acked-by: David Sterba dsterba@suse.com Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/affs/namei.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)
--- a/fs/affs/namei.c +++ b/fs/affs/namei.c @@ -224,9 +224,10 @@ affs_lookup(struct inode *dir, struct de
affs_lock_dir(dir); bh = affs_find_entry(dir, dentry); - affs_unlock_dir(dir); - if (IS_ERR(bh)) + if (IS_ERR(bh)) { + affs_unlock_dir(dir); return ERR_CAST(bh); + } if (bh) { u32 ino = bh->b_blocknr;
@@ -240,10 +241,13 @@ affs_lookup(struct inode *dir, struct de } affs_brelse(bh); inode = affs_iget(sb, ino); - if (IS_ERR(inode)) + if (IS_ERR(inode)) { + affs_unlock_dir(dir); return ERR_CAST(inode); + } } d_add(dentry, inode); + affs_unlock_dir(dir); return NULL; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli f.fainelli@gmail.com
commit c0eb05585d4184596453622b5abba7d13dd20667 upstream.
skb->protocol is a __be16 which we would be calling htons() against, while this is not wrong per-se as it correctly results in swapping the value on LE hosts, this still upsets sparse. Adopt a similar pattern to what other drivers do and just assign ip_ver to skb->protocol, and then use htons() against the different constants such that the compiler can resolve the values at build time.
Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") Signed-off-by: Florian Fainelli f.fainelli@gmail.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ethernet/broadcom/bcmsysport.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-)
--- a/drivers/net/ethernet/broadcom/bcmsysport.c +++ b/drivers/net/ethernet/broadcom/bcmsysport.c @@ -772,7 +772,7 @@ static struct sk_buff *bcm_sysport_inser u32 csum_info; u8 ip_proto; u16 csum_start; - u16 ip_ver; + __be16 ip_ver;
/* Re-allocate SKB if needed */ if (unlikely(skb_headroom(skb) < sizeof(*tsb))) { @@ -791,12 +791,12 @@ static struct sk_buff *bcm_sysport_inser memset(tsb, 0, sizeof(*tsb));
if (skb->ip_summed == CHECKSUM_PARTIAL) { - ip_ver = htons(skb->protocol); + ip_ver = skb->protocol; switch (ip_ver) { - case ETH_P_IP: + case htons(ETH_P_IP): ip_proto = ip_hdr(skb)->protocol; break; - case ETH_P_IPV6: + case htons(ETH_P_IPV6): ip_proto = ipv6_hdr(skb)->nexthdr; break; default: @@ -810,7 +810,8 @@ static struct sk_buff *bcm_sysport_inser
if (ip_proto == IPPROTO_TCP || ip_proto == IPPROTO_UDP) { csum_info |= L4_LENGTH_VALID; - if (ip_proto == IPPROTO_UDP && ip_ver == ETH_P_IP) + if (ip_proto == IPPROTO_UDP && + ip_ver == htons(ETH_P_IP)) csum_info |= L4_UDP; } else csum_info = 0;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Howells dhowells@redhat.com
commit 378831e4daec75fbba6d3612bcf3b4dd00ddbf08 upstream.
Doing faccessat("/afs/some/directory", 0) triggers a BUG in the permissions check code.
Fix this by just removing the BUG section. If no permissions are asked for, just return okay if the file exists.
Also:
(1) Split up the directory check so that it has separate if-statements rather than if-else-if (e.g. checking for MAY_EXEC shouldn't skip the check for MAY_READ and MAY_WRITE).
(2) Check for MAY_CHDIR as MAY_EXEC.
Without the main fix, the following BUG may occur:
kernel BUG at fs/afs/security.c:386! invalid opcode: 0000 [#1] SMP PTI ... RIP: 0010:afs_permission+0x19d/0x1a0 [kafs] ... Call Trace: ? inode_permission+0xbe/0x180 ? do_faccessat+0xdc/0x270 ? do_syscall_64+0x60/0x1f0 ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fixes: 00d3b7a4533e ("[AFS]: Add security support.") Reported-by: Jonathan Billings jsbillings@jsbillings.org Signed-off-by: David Howells dhowells@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/afs/security.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-)
--- a/fs/afs/security.c +++ b/fs/afs/security.c @@ -323,18 +323,14 @@ int afs_permission(struct inode *inode, mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file");
if (S_ISDIR(inode->i_mode)) { - if (mask & MAY_EXEC) { + if (mask & (MAY_EXEC | MAY_READ | MAY_CHDIR)) { if (!(access & AFS_ACE_LOOKUP)) goto permission_denied; - } else if (mask & MAY_READ) { - if (!(access & AFS_ACE_LOOKUP)) - goto permission_denied; - } else if (mask & MAY_WRITE) { + } + if (mask & MAY_WRITE) { if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */ AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */ goto permission_denied; - } else { - BUG(); } } else { if (!(access & AFS_ACE_LOOKUP))
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Parsons lost.distance@yahoo.com
commit 85e290d92b4b794d0c758c53007eb4248d385386 upstream.
Two years ago I tried an AMD Radeon E8860 embedded GPU with the drm driver. The dmesg output included driver warnings about an invalid PCIe lane width. Tracking the problem back led to si_set_pcie_lane_width_in_smc(). The calculation of the lane widths via ATOM_PPLIB_PCIE_LINK_WIDTH_MASK and ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT macros did not increment the resulting value, per the comment in pptable.h ("lanes - 1"), and per usage elsewhere. Applying the increment silenced the warnings. The code has not changed since, so either my analysis was incorrect or the bug has gone unnoticed. Hence submitting this as an RFC.
Acked-by: Christian König christian.koenig@amd.com Acked-by: Chunming Zhou david1.zhou@amd.com Signed-off-by: Paul Parsons lost.distance@yahoo.com Signed-off-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/radeon/si_dpm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/radeon/si_dpm.c +++ b/drivers/gpu/drm/radeon/si_dpm.c @@ -5828,9 +5828,9 @@ static void si_set_pcie_lane_width_in_sm { u32 lane_width; u32 new_lane_width = - (radeon_new_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT; + ((radeon_new_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT) + 1; u32 current_lane_width = - (radeon_current_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT; + ((radeon_current_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT) + 1;
if (new_lane_width != current_lane_width) { radeon_set_pcie_lanes(rdev, new_lane_width);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Roeschley kyle.roeschley@ni.com
commit 1e23aace21515a8f7615a1de016c0ea8d4e0cc6e upstream.
Added the USB VID and PID for the USB serial console on some National Instruments devices.
Signed-off-by: Kyle Roeschley kyle.roeschley@ni.com Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/serial/cp210x.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/cp210x.c +++ b/drivers/usb/serial/cp210x.c @@ -210,6 +210,7 @@ static const struct usb_device_id id_tab { USB_DEVICE(0x3195, 0xF190) }, /* Link Instruments MSO-19 */ { USB_DEVICE(0x3195, 0xF280) }, /* Link Instruments MSO-28 */ { USB_DEVICE(0x3195, 0xF281) }, /* Link Instruments MSO-28 */ + { USB_DEVICE(0x3923, 0x7A0B) }, /* National Instruments USB Serial Console */ { USB_DEVICE(0x413C, 0x9500) }, /* DW700 GPS USB interface */ { } /* Terminating Entry */ };
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli f.fainelli@gmail.com
commit 6f89421180f15867dc1472d9edf68f82b0ed5ee6 upstream.
skb->protocol is a __be16 which we would be calling htons() against, while this is not wrong per-se as it correctly results in swapping the value on LE hosts, this still upsets sparse. Adopt a similar pattern to what other drivers do and just assign ip_ver to skb->protocol, and then use htons() against the different constants such that the compiler can resolve the values at build time.
Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") Signed-off-by: Florian Fainelli f.fainelli@gmail.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ethernet/broadcom/genet/bcmgenet.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-)
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c +++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c @@ -1093,7 +1093,7 @@ static int bcmgenet_put_tx_csum(struct n struct sk_buff *new_skb; u16 offset; u8 ip_proto; - u16 ip_ver; + __be16 ip_ver; u32 tx_csum_info;
if (unlikely(skb_headroom(skb) < sizeof(*status))) { @@ -1114,12 +1114,12 @@ static int bcmgenet_put_tx_csum(struct n status = (struct status_64 *)skb->data;
if (skb->ip_summed == CHECKSUM_PARTIAL) { - ip_ver = htons(skb->protocol); + ip_ver = skb->protocol; switch (ip_ver) { - case ETH_P_IP: + case htons(ETH_P_IP): ip_proto = ip_hdr(skb)->protocol; break; - case ETH_P_IPV6: + case htons(ETH_P_IPV6): ip_proto = ipv6_hdr(skb)->nexthdr; break; default: @@ -1135,7 +1135,8 @@ static int bcmgenet_put_tx_csum(struct n */ if (ip_proto == IPPROTO_TCP || ip_proto == IPPROTO_UDP) { tx_csum_info |= STATUS_TX_CSUM_LV; - if (ip_proto == IPPROTO_UDP && ip_ver == ETH_P_IP) + if (ip_proto == IPPROTO_UDP && + ip_ver == htons(ETH_P_IP)) tx_csum_info |= STATUS_TX_CSUM_PROTO_UDP; } else tx_csum_info = 0;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dexuan Cui decui@microsoft.com
commit 5596fe34495cf0f645f417eb928ef224df3e3cb4 upstream.
for_each_cpu() unintuitively reports CPU0 as set independent of the actual cpumask content on UP kernels. This causes an unexpected PIT interrupt storm on a UP kernel running in an SMP virtual machine on Hyper-V, and as a result, the virtual machine can suffer from a strange random delay of 1~20 minutes during boot-up, and sometimes it can hang forever.
Protect if by checking whether the cpumask is empty before entering the for_each_cpu() loop.
[ tglx: Use !IS_ENABLED(CONFIG_SMP) instead of #ifdeffery ]
Signed-off-by: Dexuan Cui decui@microsoft.com Signed-off-by: Thomas Gleixner tglx@linutronix.de Cc: Josh Poulson jopoulso@microsoft.com Cc: "Michael Kelley (EOSG)" Michael.H.Kelley@microsoft.com Cc: Peter Zijlstra peterz@infradead.org Cc: Frederic Weisbecker fweisbec@gmail.com Cc: Rakib Mullick rakib.mullick@gmail.com Cc: Jork Loeser Jork.Loeser@microsoft.com Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Andrew Morton akpm@linux-foundation.org Cc: KY Srinivasan kys@microsoft.com Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Alexey Dobriyan adobriyan@gmail.com Cc: Dmitry Vyukov dvyukov@google.com Link: https://lkml.kernel.org/r/KL1P15301MB000678289FE55BA365B3279ABF990@KL1P15301... Link: https://lkml.kernel.org/r/KL1P15301MB0006FA63BC22BEB64902EAA0BF930@KL1P15301... Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/time/tick-broadcast.c | 8 ++++++++ 1 file changed, 8 insertions(+)
--- a/kernel/time/tick-broadcast.c +++ b/kernel/time/tick-broadcast.c @@ -585,6 +585,14 @@ again: now = ktime_get(); /* Find all expired events */ for_each_cpu(cpu, tick_broadcast_oneshot_mask) { + /* + * Required for !SMP because for_each_cpu() reports + * unconditionally CPU0 as set on UP kernels. + */ + if (!IS_ENABLED(CONFIG_SMP) && + cpumask_empty(tick_broadcast_oneshot_mask)) + break; + td = &per_cpu(tick_cpu_device, cpu); if (td->evtdev->next_event.tv64 <= now.tv64) { cpumask_set_cpu(cpu, tmpmask);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tarick Bedeir tarick@google.com
commit 57f6f99fdad9984801cde05c1db68fe39b474a10 upstream.
Avoid exiting the function with a lingering sysfs file (if the first call to device_create_file() fails while the second succeeds), and avoid calling devlink_port_unregister() twice.
In other words, either mlx4_init_port_info() succeeds and returns zero, or it fails, returns non-zero, and requires no cleanup.
Fixes: 096335b3f983 ("mlx4_core: Allow dynamic MTU configuration for IB ports") Signed-off-by: Tarick Bedeir tarick@google.com Reviewed-by: Leon Romanovsky leonro@mellanox.com Reviewed-by: Tariq Toukan tariqt@mellanox.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ethernet/mellanox/mlx4/main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/mellanox/mlx4/main.c +++ b/drivers/net/ethernet/mellanox/mlx4/main.c @@ -2048,6 +2048,7 @@ static int mlx4_init_port_info(struct ml if (err) { mlx4_err(dev, "Failed to create file for port %d\n", port); info->port = -1; + return err; }
sprintf(info->dev_mtu_name, "mlx4_port%d_mtu", port); @@ -2066,9 +2067,10 @@ static int mlx4_init_port_info(struct ml mlx4_err(dev, "Failed to create mtu file for port %d\n", port); device_remove_file(&info->dev->pdev->dev, &info->port_attr); info->port = -1; + return err; }
- return err; + return 0; }
static void mlx4_cleanup_port_info(struct mlx4_port_info *info)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Neuling mikey@neuling.org
commit faf37c44a105f3608115785f17cbbf3500f8bc71 upstream.
Clear the PCR (Processor Compatibility Register) on boot to ensure we are not running in a compatibility mode.
We've seen this cause problems when a crash (and kdump) occurs while running compat mode guests. The kdump kernel then runs with the PCR set and causes problems. The symptom in the kdump kernel (also seen in petitboot after fast-reboot) is early userspace programs taking sigills on newer instructions (seen in libc).
Signed-off-by: Michael Neuling mikey@neuling.org Signed-off-by: Michael Ellerman mpe@ellerman.id.au [bwh: Backported to 3.16: Drop changes in __{setup,restore}_cpu_power9 and __restore_cpu_cpufeatures()] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/arch/powerpc/kernel/cpu_setup_power.S +++ b/arch/powerpc/kernel/cpu_setup_power.S @@ -27,6 +27,7 @@ _GLOBAL(__setup_cpu_power7) beqlr li r0,0 mtspr SPRN_LPID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR bl __init_LPCR bl __init_tlb_power7 @@ -40,6 +41,7 @@ _GLOBAL(__restore_cpu_power7) beqlr li r0,0 mtspr SPRN_LPID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR bl __init_LPCR bl __init_tlb_power7 @@ -55,6 +57,7 @@ _GLOBAL(__setup_cpu_power8) beqlr li r0,0 mtspr SPRN_LPID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR ori r3, r3, LPCR_PECEDH bl __init_LPCR @@ -74,6 +77,7 @@ _GLOBAL(__restore_cpu_power8) beqlr li r0,0 mtspr SPRN_LPID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR ori r3, r3, LPCR_PECEDH bl __init_LPCR
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bharat Potnuri bharat@chelsio.com
commit 2df19e19ae90d94fd8724083f161f368a2797537 upstream.
When a CQ is shared by multiple QPs, c4iw_flush_hw_cq() needs to acquire corresponding QP lock before moving the CQEs into its corresponding SW queue and accessing the SQ contents for completing a WR. Ignore CQEs if corresponding QP is already flushed.
Signed-off-by: Potnuri Bharat Teja bharat@chelsio.com Reviewed-by: Steve Wise swise@opengridcomputing.com Signed-off-by: Doug Ledford dledford@redhat.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/infiniband/hw/cxgb4/cq.c | 11 ++++++++++- drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 2 +- drivers/infiniband/hw/cxgb4/qp.c | 4 ++-- 3 files changed, 13 insertions(+), 4 deletions(-)
--- a/drivers/infiniband/hw/cxgb4/cq.c +++ b/drivers/infiniband/hw/cxgb4/cq.c @@ -331,7 +331,7 @@ static void advance_oldest_read(struct t * Deal with out-of-order and/or completions that complete * prior unsignalled WRs. */ -void c4iw_flush_hw_cq(struct c4iw_cq *chp) +void c4iw_flush_hw_cq(struct c4iw_cq *chp, struct c4iw_qp *flush_qhp) { struct t4_cqe *hw_cqe, *swcqe, read_cqe; struct c4iw_qp *qhp; @@ -355,6 +355,13 @@ void c4iw_flush_hw_cq(struct c4iw_cq *ch if (qhp == NULL) goto next_cqe;
+ if (flush_qhp != qhp) { + spin_lock(&qhp->lock); + + if (qhp->wq.flushed == 1) + goto next_cqe; + } + if (CQE_OPCODE(hw_cqe) == FW_RI_TERMINATE) goto next_cqe;
@@ -406,6 +413,8 @@ void c4iw_flush_hw_cq(struct c4iw_cq *ch next_cqe: t4_hwcq_consume(&chp->cq); ret = t4_next_hw_cqe(&chp->cq, &hw_cqe); + if (qhp && flush_qhp != qhp) + spin_unlock(&qhp->lock); } }
--- a/drivers/infiniband/hw/cxgb4/iw_cxgb4.h +++ b/drivers/infiniband/hw/cxgb4/iw_cxgb4.h @@ -977,7 +977,7 @@ void c4iw_pblpool_free(struct c4iw_rdev u32 c4iw_ocqp_pool_alloc(struct c4iw_rdev *rdev, int size); void c4iw_ocqp_pool_free(struct c4iw_rdev *rdev, u32 addr, int size); int c4iw_ofld_send(struct c4iw_rdev *rdev, struct sk_buff *skb); -void c4iw_flush_hw_cq(struct c4iw_cq *chp); +void c4iw_flush_hw_cq(struct c4iw_cq *chp, struct c4iw_qp *flush_qhp); void c4iw_count_rcqes(struct t4_cq *cq, struct t4_wq *wq, int *count); int c4iw_ep_disconnect(struct c4iw_ep *ep, int abrupt, gfp_t gfp); int c4iw_flush_rq(struct t4_wq *wq, struct t4_cq *cq, int count); --- a/drivers/infiniband/hw/cxgb4/qp.c +++ b/drivers/infiniband/hw/cxgb4/qp.c @@ -1082,7 +1082,7 @@ static void __flush_qp(struct c4iw_qp *q } qhp->wq.flushed = 1;
- c4iw_flush_hw_cq(rchp); + c4iw_flush_hw_cq(rchp, qhp); c4iw_count_rcqes(&rchp->cq, &qhp->wq, &count); flushed = c4iw_flush_rq(&qhp->wq, &rchp->cq, count); spin_unlock(&qhp->lock); @@ -1097,7 +1097,7 @@ static void __flush_qp(struct c4iw_qp *q spin_lock_irqsave(&schp->lock, flag); spin_lock(&qhp->lock); if (schp != rchp) - c4iw_flush_hw_cq(schp); + c4iw_flush_hw_cq(schp, qhp); flushed = c4iw_flush_sq(qhp); spin_unlock(&qhp->lock); spin_unlock_irqrestore(&schp->lock, flag);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet edumazet@google.com
commit 77d36398d99f2565c0a8d43a86fd520a82e64bb8 upstream.
syzbot complained :
BUG: KMSAN: uninit-value in memcmp+0x119/0x180 lib/string.c:861 CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 memcmp+0x119/0x180 lib/string.c:861 __hw_addr_add_ex net/core/dev_addr_lists.c:60 [inline] __dev_mc_add+0x1c2/0x8e0 net/core/dev_addr_lists.c:670 dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687 igmp6_group_added+0x2db/0xa00 net/ipv6/mcast.c:662 ipv6_dev_mc_inc+0xe9e/0x1130 net/ipv6/mcast.c:914 addrconf_join_solict net/ipv6/addrconf.c:2078 [inline] addrconf_dad_begin net/ipv6/addrconf.c:3828 [inline] addrconf_dad_work+0x427/0x2150 net/ipv6/addrconf.c:3954 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247 kthread+0x539/0x720 kernel/kthread.c:239
Fixes: f001fde5eadd ("net: introduce a list of device addresses dev_addr_list (v6)") Signed-off-by: Eric Dumazet edumazet@google.com Reported-by: syzbot syzkaller@googlegroups.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/core/dev_addr_lists.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/core/dev_addr_lists.c +++ b/net/core/dev_addr_lists.c @@ -57,8 +57,8 @@ static int __hw_addr_add_ex(struct netde return -EINVAL;
list_for_each_entry(ha, &list->list, list) { - if (!memcmp(ha->addr, addr, addr_len) && - ha->type == addr_type) { + if (ha->type == addr_type && + !memcmp(ha->addr, addr, addr_len)) { if (global) { /* check if addr is already used as global */ if (ha->global_use)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Gustavo A. R. Silva" gustavo@embeddedor.com
commit acf784bd0ce257fe43da7ca266f7a10b837479d2 upstream.
ioc_data.dev_num can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch: net/atm/lec.c:702 lec_vcc_attach() warn: potential spectre issue 'dev_lec'
Fix this by sanitizing ioc_data.dev_num before using it to index dev_lec. Also, notice that there is another instance in which array dev_lec is being indexed using ioc_data.dev_num at line 705: lec_vcc_added(netdev_priv(dev_lec[ioc_data.dev_num]),
Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1].
[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
Signed-off-by: Gustavo A. R. Silva gustavo@embeddedor.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/atm/lec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)
--- a/net/atm/lec.c +++ b/net/atm/lec.c @@ -41,6 +41,9 @@ static unsigned char bridge_ula_lec[] = #include <linux/module.h> #include <linux/init.h>
+/* Hardening for Spectre-v1 */ +#include <linux/nospec.h> + #include "lec.h" #include "lec_arpc.h" #include "resources.h" @@ -695,8 +698,10 @@ static int lec_vcc_attach(struct atm_vcc bytes_left = copy_from_user(&ioc_data, arg, sizeof(struct atmlec_ioc)); if (bytes_left != 0) pr_info("copy from user failed for %d bytes\n", bytes_left); - if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF || - !dev_lec[ioc_data.dev_num]) + if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF) + return -EINVAL; + ioc_data.dev_num = array_index_nospec(ioc_data.dev_num, MAX_LEC_ITF); + if (!dev_lec[ioc_data.dev_num]) return -EINVAL; vpriv = kmalloc(sizeof(struct lec_vcc_priv), GFP_KERNEL); if (!vpriv)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael S. Tsirkin" mst@redhat.com
commit 2855b33514d290c51d52d94e25d3ef942cd4d578 upstream.
an allocated buffer doesn't need to be tied to a vq - only vq->vdev is ever used. Pass the function the just what it needs - the vdev.
Signed-off-by: Michael S. Tsirkin mst@redhat.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/char/virtio_console.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -417,7 +417,7 @@ static void reclaim_dma_bufs(void) } }
-static struct port_buffer *alloc_buf(struct virtqueue *vq, size_t buf_size, +static struct port_buffer *alloc_buf(struct virtio_device *vdev, size_t buf_size, int pages) { struct port_buffer *buf; @@ -440,7 +440,7 @@ static struct port_buffer *alloc_buf(str return buf; }
- if (is_rproc_serial(vq->vdev)) { + if (is_rproc_serial(vdev)) { /* * Allocate DMA memory from ancestor. When a virtio * device is created by remoteproc, the DMA memory is @@ -450,9 +450,9 @@ static struct port_buffer *alloc_buf(str * DMA_MEMORY_INCLUDES_CHILDREN had been supported * in dma-coherent.c */ - if (!vq->vdev->dev.parent || !vq->vdev->dev.parent->parent) + if (!vdev->dev.parent || !vdev->dev.parent->parent) goto free_buf; - buf->dev = vq->vdev->dev.parent->parent; + buf->dev = vdev->dev.parent->parent;
/* Increase device refcnt to avoid freeing it */ get_device(buf->dev); @@ -834,7 +834,7 @@ static ssize_t port_fops_write(struct fi
count = min((size_t)(32 * 1024), count);
- buf = alloc_buf(port->out_vq, count, 0); + buf = alloc_buf(port->portdev->vdev, count, 0); if (!buf) return -ENOMEM;
@@ -953,7 +953,7 @@ static ssize_t port_fops_splice_write(st if (ret < 0) goto error_out;
- buf = alloc_buf(port->out_vq, 0, pipe->nrbufs); + buf = alloc_buf(port->portdev->vdev, 0, pipe->nrbufs); if (!buf) { ret = -ENOMEM; goto error_out; @@ -1370,7 +1370,7 @@ static unsigned int fill_queue(struct vi
nr_added_bufs = 0; do { - buf = alloc_buf(vq, PAGE_SIZE, 0); + buf = alloc_buf(vq->vdev, PAGE_SIZE, 0); if (!buf) break;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara jack@suse.cz
commit 514d748f69c97a51a2645eb198ac5c6218f22ff9 upstream.
Commit e4502c63f56aeca88 (ufs: deal with nfsd/iget races) made ufs create inodes with I_NEW flag set. However ufs_mkdir() never cleared this flag. Thus if someone ever tried to lookup the directory by inode number, he would deadlock waiting for I_NEW to be cleared. Luckily this mostly happens only if the filesystem is exported over NFS since otherwise we have the inode attached to dentry and don't look it up by inode number. In rare cases dentry can get freed without inode being freed and then we'd hit the deadlock even without NFS export.
Fix the problem by clearing I_NEW before instantiating new directory inode.
Fixes: e4502c63f56aeca887ced37f24e0def1ef11cec8 Reported-by: Fabian Frederick fabf@skynet.be Signed-off-by: Jan Kara jack@suse.cz Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/ufs/namei.c | 1 + 1 file changed, 1 insertion(+)
--- a/fs/ufs/namei.c +++ b/fs/ufs/namei.c @@ -212,6 +212,7 @@ static int ufs_mkdir(struct inode * dir, goto out_fail; unlock_ufs(dir->i_sb);
+ unlock_new_inode(inode); d_instantiate(dentry, inode); out: return err;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Neuling mikey@neuling.org
commit 13a83eac373c49c0a081cbcd137e79210fe78acd upstream.
On boot we save the configuration space of PCIe bridges. We do this so when we get an EEH event and everything gets reset that we can restore them.
Unfortunately we save this state before we've enabled the MMIO space on the bridges. Hence if we have to reset the bridge when we come back MMIO is not enabled and we end up taking an PE freeze when the driver starts accessing again.
This patch forces the memory/MMIO and bus mastering on when restoring bridges on EEH. Ideally we'd do this correctly by saving the configuration space writes later, but that will have to come later in a larger EEH rewrite. For now we have this simple fix.
The original bug can be triggered on a boston machine by doing: echo 0x8000000000000000 > /sys/kernel/debug/powerpc/PCI0001/err_injct_outbound On boston, this PHB has a PCIe switch on it. Without this patch, you'll see two EEH events, 1 expected and 1 the failure we are fixing here. The second EEH event causes the anything under the PHB to disappear (i.e. the i40e eth).
With this patch, only 1 EEH event occurs and devices properly recover.
Fixes: 652defed4875 ("powerpc/eeh: Check PCIe link after reset") Reported-by: Pridhiviraj Paidipeddi ppaidipe@linux.vnet.ibm.com Signed-off-by: Michael Neuling mikey@neuling.org Acked-by: Russell Currey ruscur@russell.cc Signed-off-by: Michael Ellerman mpe@ellerman.id.au [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/powerpc/kernel/eeh_pe.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/powerpc/kernel/eeh_pe.c +++ b/arch/powerpc/kernel/eeh_pe.c @@ -723,7 +723,8 @@ static void eeh_restore_bridge_bars(stru eeh_ops->write_config(dn, 15*4, 4, edev->config_space[15]);
/* PCI Command: 0x4 */ - eeh_ops->write_config(dn, PCI_COMMAND, 4, edev->config_space[1]); + eeh_ops->write_config(dn, PCI_COMMAND, 4, edev->config_space[1] | + PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER);
/* Check the PCIe link is ready */ eeh_bridge_check_link(edev, dn);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Piggin npiggin@gmail.com
commit 741de617661794246f84a21a02fc5e327bffc9ad upstream.
opal_nvram_write currently just assumes success if it encounters an error other than OPAL_BUSY or OPAL_BUSY_EVENT. Have it return -EIO on other errors instead.
Fixes: 628daa8d5abf ("powerpc/powernv: Add RTC and NVRAM support plus RTAS fallbacks") Signed-off-by: Nicholas Piggin npiggin@gmail.com Reviewed-by: Vasant Hegde hegdevasant@linux.vnet.ibm.com Acked-by: Stewart Smith stewart@linux.ibm.com Signed-off-by: Michael Ellerman mpe@ellerman.id.au Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/powerpc/platforms/powernv/opal-nvram.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/arch/powerpc/platforms/powernv/opal-nvram.c +++ b/arch/powerpc/platforms/powernv/opal-nvram.c @@ -58,6 +58,10 @@ static ssize_t opal_nvram_write(char *bu if (rc == OPAL_BUSY_EVENT) opal_poll_events(NULL); } + + if (rc) + return -EIO; + *index += count; return count; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shamir Rabinovitch shamir.rabinovitch@oracle.com
commit ef95a90ae6f4f21990e1f7ced6719784a409e811 upstream.
Validating input parameters should be done before getting the cm_id otherwise it can leak a cm_id reference.
Fixes: 6a21dfc0d0db ("RDMA/ucma: Limit possible option size") Signed-off-by: Shamir Rabinovitch shamir.rabinovitch@oracle.com Reviewed-by: Leon Romanovsky leonro@mellanox.com Signed-off-by: Jason Gunthorpe jgg@mellanox.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/infiniband/core/ucma.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1204,13 +1204,13 @@ static ssize_t ucma_set_option(struct uc if (copy_from_user(&cmd, inbuf, sizeof(cmd))) return -EFAULT;
+ if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) + return -EINVAL; + ctx = ucma_get_ctx(file, cmd.id); if (IS_ERR(ctx)) return PTR_ERR(ctx);
- if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) - return -EINVAL; - optval = memdup_user((void __user *) (unsigned long) cmd.optval, cmd.optlen); if (IS_ERR(optval)) {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck linux@roeck-us.net
commit 415eb2a1aaa4881cf85bd86c683356fdd8094a23 upstream.
pwmX_mode is defined in the ABI as 0=DC mode, 1=pwm mode. The chip register bit is set to 1 for DC mode. This got mixed up, and writing 1 into pwmX_mode resulted in DC mode enabled. Fix it up by using the ABI definition throughout the driver for consistency.
Fixes: 77eb5b3703d99 ("hwmon: (nct6775) Add support for pwm, pwm_mode, ... ") Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hwmon/nct6775.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/hwmon/nct6775.c +++ b/drivers/hwmon/nct6775.c @@ -1287,7 +1287,7 @@ static void nct6775_update_pwm(struct de duty_is_dc = data->REG_PWM_MODE[i] && (nct6775_read_value(data, data->REG_PWM_MODE[i]) & data->PWM_MODE_MASK[i]); - data->pwm_mode[i] = duty_is_dc; + data->pwm_mode[i] = !duty_is_dc;
fanmodecfg = nct6775_read_value(data, data->REG_FAN_MODE[i]); for (j = 0; j < ARRAY_SIZE(data->REG_PWM); j++) { @@ -2146,7 +2146,7 @@ show_pwm_mode(struct device *dev, struct struct nct6775_data *data = nct6775_update_device(dev); struct sensor_device_attribute *sattr = to_sensor_dev_attr(attr);
- return sprintf(buf, "%d\n", !data->pwm_mode[sattr->index]); + return sprintf(buf, "%d\n", data->pwm_mode[sattr->index]); }
static ssize_t @@ -2167,9 +2167,9 @@ store_pwm_mode(struct device *dev, struc if (val > 1) return -EINVAL;
- /* Setting DC mode is not supported for all chips/channels */ + /* Setting DC mode (0) is not supported for all chips/channels */ if (data->REG_PWM_MODE[nr] == 0) { - if (val) + if (!val) return -EINVAL; return count; } @@ -2178,7 +2178,7 @@ store_pwm_mode(struct device *dev, struc data->pwm_mode[nr] = val; reg = nct6775_read_value(data, data->REG_PWM_MODE[nr]); reg &= ~data->PWM_MODE_MASK[nr]; - if (val) + if (!val) reg |= data->PWM_MODE_MASK[nr]; nct6775_write_value(data, data->REG_PWM_MODE[nr], reg); mutex_unlock(&data->update_lock);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Piggin npiggin@gmail.com
commit 0bfdf598900fd62869659f360d3387ed80eb71cf upstream.
asm/barrier.h is not always included after asm/synch.h, which meant it was missing __SUBARCH_HAS_LWSYNC, so in some files smp_wmb() would be eieio when it should be lwsync. kernel/time/hrtimer.c is one case.
__SUBARCH_HAS_LWSYNC is only used in one place, so just fold it in to where it's used. Previously with my small simulator config, 377 instances of eieio in the tree. After this patch there are 55.
Fixes: 46d075be585e ("powerpc: Optimise smp_wmb") Signed-off-by: Nicholas Piggin npiggin@gmail.com Signed-off-by: Michael Ellerman mpe@ellerman.id.au Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/powerpc/include/asm/barrier.h | 3 ++- arch/powerpc/include/asm/synch.h | 4 ---- 2 files changed, 2 insertions(+), 5 deletions(-)
--- a/arch/powerpc/include/asm/barrier.h +++ b/arch/powerpc/include/asm/barrier.h @@ -39,7 +39,8 @@
#ifdef CONFIG_SMP
-#ifdef __SUBARCH_HAS_LWSYNC +/* The sub-arch has lwsync */ +#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC) # define SMPWMB LWSYNC #else # define SMPWMB eieio --- a/arch/powerpc/include/asm/synch.h +++ b/arch/powerpc/include/asm/synch.h @@ -5,10 +5,6 @@ #include <linux/stringify.h> #include <asm/feature-fixups.h>
-#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC) -#define __SUBARCH_HAS_LWSYNC -#endif - #ifndef __ASSEMBLY__ extern unsigned int __start___lwsync_fixup, __stop___lwsync_fixup; extern void do_lwsync_fixups(unsigned long value, void *fixup_start,
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu chao2.yu@samsung.com
commit b73e52824c8920a5ff754e3c8ff68466a7dd61f9 upstream.
As the race condition on the inode cache, following scenario can appear: [Thread a] [Thread b] ->f2fs_mkdir ->f2fs_add_link ->__f2fs_add_link ->init_inode_metadata failed here ->gc_thread_func ->f2fs_gc ->do_garbage_collect ->gc_data_segment ->f2fs_iget ->iget_locked ->wait_on_inode ->unlock_new_inode ->move_data_page ->make_bad_inode ->iput
When we fail in create/symlink/mkdir/mknod/tmpfile, the new allocated inode should be set as bad to avoid being accessed by other thread. But in above scenario, it allows f2fs to access the invalid inode before this inode was set as bad. This patch fix the potential problem, and this issue was found by code review.
change log from v1: o Add condition judgment in gc_data_segment() suggested by Changman Lee. o use iget_failed to simplify code.
Signed-off-by: Chao Yu chao2.yu@samsung.com Signed-off-by: Jaegeuk Kim jaegeuk@kernel.org [bwh: Backported to 3.16: Drop changes in f2fs_tmpfile()] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -602,7 +602,7 @@ next_step:
if (phase == 2) { inode = f2fs_iget(sb, dni.ino); - if (IS_ERR(inode)) + if (IS_ERR(inode) || is_bad_inode(inode)) continue;
start_bidx = start_bidx_of_node(nofs, F2FS_I(inode)); --- a/fs/f2fs/namei.c +++ b/fs/f2fs/namei.c @@ -135,9 +135,7 @@ static int f2fs_create(struct inode *dir return 0; out: clear_nlink(inode); - unlock_new_inode(inode); - make_bad_inode(inode); - iput(inode); + iget_failed(inode); alloc_nid_failed(sbi, ino); return err; } @@ -271,9 +269,7 @@ static int f2fs_symlink(struct inode *di return err; out: clear_nlink(inode); - unlock_new_inode(inode); - make_bad_inode(inode); - iput(inode); + iget_failed(inode); alloc_nid_failed(sbi, inode->i_ino); return err; } @@ -312,9 +308,7 @@ static int f2fs_mkdir(struct inode *dir, out_fail: clear_inode_flag(F2FS_I(inode), FI_INC_LINK); clear_nlink(inode); - unlock_new_inode(inode); - make_bad_inode(inode); - iput(inode); + iget_failed(inode); alloc_nid_failed(sbi, inode->i_ino); return err; } @@ -359,9 +353,7 @@ static int f2fs_mknod(struct inode *dir, return 0; out: clear_nlink(inode); - unlock_new_inode(inode); - make_bad_inode(inode); - iput(inode); + iget_failed(inode); alloc_nid_failed(sbi, inode->i_ino); return err; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann sven@narfation.org
commit 8ba0f9bd3bdea1058c2b2676bec7905724418e40 upstream.
The functions batadv_tt_prepare_tvlv_local_data and batadv_tt_prepare_tvlv_global_data are responsible for preparing a buffer which can be used to store the TVLV container for TT and add the VLAN information to it.
This will be done in three phases:
1. count the number of VLANs and their entries 2. allocate the buffer using the counters from the previous step and limits from the caller (parameter tt_len) 3. insert the VLAN information to the buffer
The step 1 and 3 operate on a list which contains the VLANs. The access to these lists must be protected with an appropriate lock or otherwise they might operate on on different entries. This could for example happen when another context is adding VLAN entries to this list.
This could lead to a buffer overflow in these functions when enough entries were added between step 1 and 3 to the VLAN lists that the buffer room for the entries (*tt_change) is smaller then the now required extra buffer for new VLAN entries.
Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by: Sven Eckelmann sven@narfation.org Acked-by: Antonio Quartulli a@unstable.cc Signed-off-by: Simon Wunderlich sw@simonwunderlich.de [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/batman-adv/translation-table.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -718,7 +718,7 @@ batadv_tt_prepare_tvlv_global_data(struc struct batadv_orig_node_vlan *vlan; uint8_t *tt_change_ptr;
- rcu_read_lock(); + spin_lock_bh(&orig_node->vlan_list_lock); list_for_each_entry_rcu(vlan, &orig_node->vlan_list, list) { num_vlan++; num_entries += atomic_read(&vlan->tt.num_entries); @@ -756,7 +756,7 @@ batadv_tt_prepare_tvlv_global_data(struc *tt_change = (struct batadv_tvlv_tt_change *)tt_change_ptr;
out: - rcu_read_unlock(); + spin_unlock_bh(&orig_node->vlan_list_lock); return tvlv_len; }
@@ -790,7 +790,7 @@ batadv_tt_prepare_tvlv_local_data(struct uint8_t *tt_change_ptr; int change_offset;
- rcu_read_lock(); + spin_lock_bh(&bat_priv->softif_vlan_list_lock); hlist_for_each_entry_rcu(vlan, &bat_priv->softif_vlan_list, list) { num_vlan++; num_entries += atomic_read(&vlan->tt.num_entries); @@ -828,7 +828,7 @@ batadv_tt_prepare_tvlv_local_data(struct *tt_change = (struct batadv_tvlv_tt_change *)tt_change_ptr;
out: - rcu_read_unlock(); + spin_unlock_bh(&bat_priv->softif_vlan_list_lock); return tvlv_len; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael S. Tsirkin" mst@redhat.com
commit 5c60300d68da32ca77f7f978039dc72bfc78b06b upstream.
When out of memory and we can't add ctrl vq buffers, probe fails. Unfortunately the error handling is out of spec: it calls del_vqs without bothering to reset the device first.
To fix, call the full cleanup function in this case.
Signed-off-by: Michael S. Tsirkin mst@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/char/virtio_console.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-)
--- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -2073,6 +2073,7 @@ static int virtcons_probe(struct virtio_
spin_lock_init(&portdev->ports_lock); INIT_LIST_HEAD(&portdev->ports); + INIT_LIST_HEAD(&portdev->list);
INIT_WORK(&portdev->config_work, &config_work_handler); INIT_WORK(&portdev->control_work, &control_work_handler); @@ -2088,8 +2089,15 @@ static int virtcons_probe(struct virtio_ if (!nr_added_bufs) { dev_err(&vdev->dev, "Error allocating buffers for control queue\n"); - err = -ENOMEM; - goto free_vqs; + /* + * The host might want to notify mgmt sw about device + * add failure. + */ + __send_control_msg(portdev, VIRTIO_CONSOLE_BAD_ID, + VIRTIO_CONSOLE_DEVICE_READY, 0); + /* Device was functional: we need full cleanup. */ + virtcons_remove(vdev); + return -ENOMEM; } } else { /* @@ -2120,11 +2128,6 @@ static int virtcons_probe(struct virtio_
return 0;
-free_vqs: - /* The host might want to notify mgmt sw about device add failure */ - __send_control_msg(portdev, VIRTIO_CONSOLE_BAD_ID, - VIRTIO_CONSOLE_DEVICE_READY, 0); - remove_vqs(portdev); free_chrdev: unregister_chrdev(portdev->chr_major, "virtio-portsdev"); free:
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael S. Tsirkin" mst@redhat.com
commit aa44ec867030a72e8aa127977e37dec551d8df19 upstream.
Will make it reusable for error handling.
Signed-off-by: Michael S. Tsirkin mst@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/char/virtio_console.c | 72 +++++++++++++++++------------------ 1 file changed, 36 insertions(+), 36 deletions(-)
--- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -1980,6 +1980,42 @@ static void remove_vqs(struct ports_devi kfree(portdev->out_vqs); }
+static void virtcons_remove(struct virtio_device *vdev) +{ + struct ports_device *portdev; + struct port *port, *port2; + + portdev = vdev->priv; + + spin_lock_irq(&pdrvdata_lock); + list_del(&portdev->list); + spin_unlock_irq(&pdrvdata_lock); + + /* Disable interrupts for vqs */ + vdev->config->reset(vdev); + /* Finish up work that's lined up */ + if (use_multiport(portdev)) + cancel_work_sync(&portdev->control_work); + else + cancel_work_sync(&portdev->config_work); + + list_for_each_entry_safe(port, port2, &portdev->ports, list) + unplug_port(port); + + unregister_chrdev(portdev->chr_major, "virtio-portsdev"); + + /* + * When yanking out a device, we immediately lose the + * (device-side) queues. So there's no point in keeping the + * guest side around till we drop our final reference. This + * also means that any ports which are in an open state will + * have to just stop using the port, as the vqs are going + * away. + */ + remove_vqs(portdev); + kfree(portdev); +} + /* * Once we're further in boot, we get probed like any other virtio * device. @@ -2097,42 +2133,6 @@ fail: return err; }
-static void virtcons_remove(struct virtio_device *vdev) -{ - struct ports_device *portdev; - struct port *port, *port2; - - portdev = vdev->priv; - - spin_lock_irq(&pdrvdata_lock); - list_del(&portdev->list); - spin_unlock_irq(&pdrvdata_lock); - - /* Disable interrupts for vqs */ - vdev->config->reset(vdev); - /* Finish up work that's lined up */ - if (use_multiport(portdev)) - cancel_work_sync(&portdev->control_work); - else - cancel_work_sync(&portdev->config_work); - - list_for_each_entry_safe(port, port2, &portdev->ports, list) - unplug_port(port); - - unregister_chrdev(portdev->chr_major, "virtio-portsdev"); - - /* - * When yanking out a device, we immediately lose the - * (device-side) queues. So there's no point in keeping the - * guest side around till we drop our final reference. This - * also means that any ports which are in an open state will - * have to just stop using the port, as the vqs are going - * away. - */ - remove_vqs(portdev); - kfree(portdev); -} - static struct virtio_device_id id_table[] = { { VIRTIO_ID_CONSOLE, VIRTIO_DEV_ANY_ID }, { 0 },
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault g.nault@alphalink.fr
commit 0171c41835591e9aa2e384b703ef9a6ae367c610 upstream.
ppp_dev_uninit(), which is the .ndo_uninit() handler of PPP devices, needs to lock pn->all_ppp_mutex. Therefore we mustn't call register_netdevice() with pn->all_ppp_mutex already locked, or we'd deadlock in case register_netdevice() fails and calls .ndo_uninit().
Fortunately, we can unlock pn->all_ppp_mutex before calling register_netdevice(). This lock protects pn->units_idr, which isn't used in the device registration process.
However, keeping pn->all_ppp_mutex locked during device registration did ensure that no device in transient state would be published in pn->units_idr. In practice, unlocking it before calling register_netdevice() doesn't change this property: ppp_unit_register() is called with 'ppp_mutex' locked and all searches done in pn->units_idr hold this lock too.
Fixes: 8cb775bc0a34 ("ppp: fix device unregistration upon netns deletion") Reported-and-tested-by: syzbot+367889b9c9e279219175@syzkaller.appspotmail.com Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ppp/ppp_generic.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -2788,6 +2788,8 @@ static struct ppp *ppp_create_interface( ppp->file.index = unit; sprintf(dev->name, "ppp%d", unit);
+ mutex_unlock(&pn->all_ppp_mutex); + ret = register_netdevice(dev); if (ret != 0) { /* register_netdevice() may have called ppp_dev_init() @@ -2796,6 +2798,7 @@ static struct ppp *ppp_create_interface( */ if (dev->qdisc_tx_busylock) ppp_dev_priv_destructor(dev); + mutex_lock(&pn->all_ppp_mutex); unit_put(&pn->units_idr, unit); netdev_err(ppp->dev, "PPP: couldn't register device %s (%d)\n", dev->name, ret); @@ -2803,7 +2806,6 @@ static struct ppp *ppp_create_interface( }
atomic_inc(&ppp_unit_count); - mutex_unlock(&pn->all_ppp_mutex); rtnl_unlock();
*retp = 0;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 10513142a7114d251670361ad40cba2c61403406 upstream.
As recently Smatch suggested, a couple of places in HDSP MADI driver may expand the array directly from the user-space value with speculation: sound/pci/rme9652/hdspm.c:5717 snd_hdspm_channel_info() warn: potential spectre issue 'hdspm->channel_map_out' (local cap) sound/pci/rme9652/hdspm.c:5734 snd_hdspm_channel_info() warn: potential spectre issue 'hdspm->channel_map_in' (local cap)
This patch puts array_index_nospec() for hardening against them.
BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2 Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Takashi Iwai tiwai@suse.de [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/pci/rme9652/hdspm.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-)
--- a/sound/pci/rme9652/hdspm.c +++ b/sound/pci/rme9652/hdspm.c @@ -137,6 +137,7 @@ #include <linux/pci.h> #include <linux/math64.h> #include <asm/io.h> +#include <linux/nospec.h>
#include <sound/core.h> #include <sound/control.h> @@ -5724,40 +5725,43 @@ static int snd_hdspm_channel_info(struct struct snd_pcm_channel_info *info) { struct hdspm *hdspm = snd_pcm_substream_chip(substream); + unsigned int channel = info->channel;
if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { - if (snd_BUG_ON(info->channel >= hdspm->max_channels_out)) { + if (snd_BUG_ON(channel >= hdspm->max_channels_out)) { dev_info(hdspm->card->dev, "snd_hdspm_channel_info: output channel out of range (%d)\n", - info->channel); + channel); return -EINVAL; }
- if (hdspm->channel_map_out[info->channel] < 0) { + channel = array_index_nospec(channel, hdspm->max_channels_out); + if (hdspm->channel_map_out[channel] < 0) { dev_info(hdspm->card->dev, "snd_hdspm_channel_info: output channel %d mapped out\n", - info->channel); + channel); return -EINVAL; }
- info->offset = hdspm->channel_map_out[info->channel] * + info->offset = hdspm->channel_map_out[channel] * HDSPM_CHANNEL_BUFFER_BYTES; } else { - if (snd_BUG_ON(info->channel >= hdspm->max_channels_in)) { + if (snd_BUG_ON(channel >= hdspm->max_channels_in)) { dev_info(hdspm->card->dev, "snd_hdspm_channel_info: input channel out of range (%d)\n", - info->channel); + channel); return -EINVAL; }
- if (hdspm->channel_map_in[info->channel] < 0) { + channel = array_index_nospec(channel, hdspm->max_channels_in); + if (hdspm->channel_map_in[channel] < 0) { dev_info(hdspm->card->dev, "snd_hdspm_channel_info: input channel %d mapped out\n", - info->channel); + channel); return -EINVAL; }
- info->offset = hdspm->channel_map_in[info->channel] * + info->offset = hdspm->channel_map_in[channel] * HDSPM_CHANNEL_BUFFER_BYTES; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold johan@kernel.org
commit 4bf01ca21e2e0e4561d1a03c48c3d740418702db upstream.
Make sure to free the rfkill device in case registration fails during probe.
Fixes: 5e7ca3937fbe ("net: rfkill: gpio: convert to resource managed allocation") Cc: Heikki Krogerus heikki.krogerus@linux.intel.com Signed-off-by: Johan Hovold johan@kernel.org Reviewed-by: Heikki Krogerus heikki.krogerus@linux.intel.com Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/rfkill/rfkill-gpio.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/rfkill/rfkill-gpio.c +++ b/net/rfkill/rfkill-gpio.c @@ -134,13 +134,18 @@ static int rfkill_gpio_probe(struct plat
ret = rfkill_register(rfkill->rfkill_dev); if (ret < 0) - return ret; + goto err_destroy;
platform_set_drvdata(pdev, rfkill);
dev_info(&pdev->dev, "%s device registered.\n", rfkill->name);
return 0; + +err_destroy: + rfkill_destroy(rfkill->rfkill_dev); + + return ret; }
static int rfkill_gpio_remove(struct platform_device *pdev)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kenny Yu kennyyu@fb.com
commit 6496bb72bf20c1c7e4d6be44dfa663163e709116 upstream.
Previously, `create_trace_uprobe` found the *first* occurence of the ':' character when parsing `PATH:OFFSET` for a uprobe. However, if the path contains a ':' character, then the function would parse the path incorrectly. Even worse, if the path does not exist, the subsequent call to `kern_path()` would set `ret` to `ENOENT`, leading to very cryptic errno values in user space.
The fix is to find the *last* occurence of ':'.
How to repro:: The write fails with "No such file or directory", suggesting incorrectly that the `uprobe_events` file does not exist.
$ mkdir testing && cd testing $ cp /bin/bash . $ cp /bin/bash ./bash:with:colon $ echo "p:uprobes/p__root_testing_bash_0x6 /root/testing/bash:0x6" > /sys/kernel/debug/tracing/uprobe_events # this works $ echo "p:uprobes/p__root_testing_bash_with_colon_0x6 /root/testing/bash:with:colon:0x6" >> /sys/kernel/debug/tracing/uprobe_events # this doesn't -bash: echo: write error: No such file or directory
With the patch:
$ echo "p:uprobes/p__root_testing_bash_0x6 /root/testing/bash:0x6" > /sys/kernel/debug/tracing/uprobe_events # this still works $ echo "p:uprobes/p__root_testing_bash_with_colon_0x6 /root/testing/bash:with:colon:0x6" >> /sys/kernel/debug/tracing/uprobe_events # this works now too! $ cat /sys/kernel/debug/tracing/uprobe_events p:uprobes/p__root_testing_bash_0x6 /root/testing/bash:0x0000000000000006 p:uprobes/p__root_testing_bash_with_colon_0x6 /root/testing/bash:with:colon:0x0000000000000006
Link: http://lkml.kernel.org/r/20170113165834.4081016-1-kennyyu@fb.com
Signed-off-by: Kenny Yu kennyyu@fb.com Reviewed-by: Omar Sandoval osandov@fb.com Signed-off-by: Steven Rostedt (VMware) rostedt@goodmis.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/trace/trace_uprobe.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/trace/trace_uprobe.c +++ b/kernel/trace/trace_uprobe.c @@ -430,7 +430,8 @@ static int create_trace_uprobe(int argc, pr_info("Probe point is not specified.\n"); return -EINVAL; } - arg = strchr(argv[1], ':'); + /* Find the last occurrence, in case the path contains ':' too. */ + arg = strrchr(argv[1], ':'); if (!arg) { ret = -EINVAL; goto fail_address_parse;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit f13876e2c33a657a71bcbb10f767c0951b165020 upstream.
Since snd_pcm_ioctl_xfern_compat() has no PCM state check, it may go further and hit the sanity check pcm_sanity_check() when the ioctl is called right after open. It may eventually spew a kernel warning, as triggered by syzbot, depending on kconfig.
The lack of PCM state check there was just an oversight. Although it's no real crash, the spurious kernel warning is annoying, so let's add the proper check.
Reported-by: syzbot+1dac3a4f6bc9c1c675d4@syzkaller.appspotmail.com Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/core/pcm_compat.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/sound/core/pcm_compat.c +++ b/sound/core/pcm_compat.c @@ -334,6 +334,8 @@ static int snd_pcm_ioctl_xfern_compat(st return -ENOTTY; if (substream->stream != dir) return -EINVAL; + if (substream->runtime->status->state == SNDRV_PCM_STATE_OPEN) + return -EBADFD;
if ((ch = substream->runtime->channels) > 128) return -EINVAL;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shuah Khan shuahkh@osg.samsung.com
commit 5b22f676118ff25049382041da0db8012e57c9e8 upstream.
Validate !rhport < 0 before using it to access port_status array.
Signed-off-by: Shuah Khan shuahkh@osg.samsung.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: - Drop changes to the SetPortFeature USB_PORT_FEAT_{SUSPEND,POWER,BH_PORT_RESET} cases - Add the "error" label - Adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/staging/usbip/vhci_hcd.c +++ b/drivers/staging/usbip/vhci_hcd.c @@ -266,6 +266,8 @@ static int vhci_hub_control(struct usb_h usbip_dbg_vhci_rh(" ClearHubFeature\n"); break; case ClearPortFeature: + if (rhport < 0) + goto error; switch (wValue) { case USB_PORT_FEAT_SUSPEND: if (dum->port_status[rhport] & USB_PORT_STAT_SUSPEND) { @@ -370,6 +372,8 @@ static int vhci_hub_control(struct usb_h case USB_PORT_FEAT_RESET: usbip_dbg_vhci_rh( " SetPortFeature: USB_PORT_FEAT_RESET\n"); + if (rhport < 0) + goto error; /* if it's already running, disconnect first */ if (dum->port_status[rhport] & USB_PORT_STAT_ENABLE) { dum->port_status[rhport] &= @@ -385,6 +389,8 @@ static int vhci_hub_control(struct usb_h default: usbip_dbg_vhci_rh(" SetPortFeature: default %d\n", wValue); + if (rhport < 0) + goto error; dum->port_status[rhport] |= (1 << wValue); break; } @@ -392,7 +398,7 @@ static int vhci_hub_control(struct usb_h
default: pr_err("default: no such request\n"); - +error: /* "protocol stall" on error */ retval = -EPIPE; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra peterz@infradead.org
commit 354d7793070611b4df5a79fbb0f12752d0ed0cc5 upstream.
kernel/sched/autogroup.c:230 proc_sched_autogroup_set_nice() warn: potential spectre issue 'sched_prio_to_weight'
Userspace controls @nice, sanitize the array index.
Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Signed-off-by: Ingo Molnar mingo@kernel.org [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/sched/auto_group.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
--- a/kernel/sched/auto_group.c +++ b/kernel/sched/auto_group.c @@ -8,6 +8,7 @@ #include <linux/utsname.h> #include <linux/security.h> #include <linux/export.h> +#include <linux/nospec.h>
unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1; static struct autogroup autogroup_default; @@ -198,7 +199,7 @@ int proc_sched_autogroup_set_nice(struct static unsigned long next = INITIAL_JIFFIES; struct autogroup *ag; unsigned long shares; - int err; + int err, idx;
if (nice < MIN_NICE || nice > MAX_NICE) return -EINVAL; @@ -216,7 +217,9 @@ int proc_sched_autogroup_set_nice(struct
next = HZ / 10 + jiffies; ag = autogroup_task_get(p); - shares = scale_load(prio_to_weight[nice + 20]); + + idx = array_index_nospec(nice + 20, 40); + shares = scale_load(prio_to_weight[idx]);
down_write(&ag->lock); err = sched_group_set_shares(ag->tg, shares);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kamil Lulko kamilx.lulko@intel.com
commit 3180dabe08e3653bf0a838553905d88f3773f29c upstream.
Add DELAY_INIT quirk to fix the following problem with HP v222w 16GB Mini:
usb 1-3: unable to read config index 0 descriptor/start: -110 usb 1-3: can't read configurations, error -110 usb 1-3: can't set config #1, error -110
Signed-off-by: Kamil Lulko kamilx.lulko@intel.com Signed-off-by: Kuppuswamy Sathyanarayanan sathyanarayanan.kuppuswamy@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/core/quirks.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -45,6 +45,9 @@ static const struct usb_device_id usb_qu { USB_DEVICE(0x03f0, 0x0701), .driver_info = USB_QUIRK_STRING_FETCH_255 },
+ /* HP v222w 16GB Mini USB Drive */ + { USB_DEVICE(0x03f0, 0x3f40), .driver_info = USB_QUIRK_DELAY_INIT }, + /* Creative SB Audigy 2 NX */ { USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME },
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara jack@suse.cz
commit 12ecbb4b1d765a5076920999298d9625439dbe58 upstream.
Commit e4502c63f56aeca88 (ufs: deal with nfsd/iget races) introduced unlock_new_inode() call into ufs_add_nondir(). However that function gets called also from ufs_link() which hands it already initialized inode and thus unlock_new_inode() complains. The problem is harmless but annoying.
Fix the problem by opencoding necessary stuff in ufs_link()
Fixes: e4502c63f56aeca887ced37f24e0def1ef11cec8 Signed-off-by: Jan Kara jack@suse.cz Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/ufs/namei.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/ufs/namei.c +++ b/fs/ufs/namei.c @@ -174,7 +174,12 @@ static int ufs_link (struct dentry * old inode_inc_link_count(inode); ihold(inode);
- error = ufs_add_nondir(dentry, inode); + error = ufs_add_link(dentry, inode); + if (error) { + inode_dec_link_count(inode); + iput(inode); + } else + d_instantiate(dentry, inode); unlock_ufs(dir->i_sb); return error; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nico Sneck nicosneck@hotmail.com
commit b1550359d1eb392ee54f7cf47cffcfe0a602f6a7 upstream.
With this the dGPU turns on correctly.
Signed-off-by: Nico Sneck nicosneck@hotmail.com Signed-off-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/radeon/radeon_device.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/radeon/radeon_device.c +++ b/drivers/gpu/drm/radeon/radeon_device.c @@ -131,6 +131,10 @@ static struct radeon_px_quirk radeon_px_ * https://bugs.freedesktop.org/show_bug.cgi?id=101491 */ { PCI_VENDOR_ID_ATI, 0x6741, 0x1043, 0x2122, RADEON_PX_QUIRK_DISABLE_PX }, + /* Asus K73TK laptop with AMD A6-3420M APU and Radeon 7670m GPU + * https://bugzilla.kernel.org/show_bug.cgi?id=51381#c52 + */ + { PCI_VENDOR_ID_ATI, 0x6840, 0x1043, 0x2123, RADEON_PX_QUIRK_DISABLE_PX }, { 0, 0, 0, 0, 0 }, };
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 76b3421b39bd610546931fc923edcf90c18fa395 upstream.
Some control API callbacks in aloop driver are too lazy to take the loopback->cable_lock and it results in possible races of cable access while it's being freed. It eventually lead to a UAF, as reported by fuzzer recently.
This patch covers such control API callbacks and add the proper mutex locks.
Reported-by: DaeRyong Jeong threeearcat@gmail.com Signed-off-by: Takashi Iwai tiwai@suse.de [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/drivers/aloop.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-)
--- a/sound/drivers/aloop.c +++ b/sound/drivers/aloop.c @@ -829,9 +829,11 @@ static int loopback_rate_shift_get(struc { struct loopback *loopback = snd_kcontrol_chip(kcontrol); + mutex_lock(&loopback->cable_lock); ucontrol->value.integer.value[0] = loopback->setup[kcontrol->id.subdevice] [kcontrol->id.device].rate_shift; + mutex_unlock(&loopback->cable_lock); return 0; }
@@ -863,9 +865,11 @@ static int loopback_notify_get(struct sn { struct loopback *loopback = snd_kcontrol_chip(kcontrol); + mutex_lock(&loopback->cable_lock); ucontrol->value.integer.value[0] = loopback->setup[kcontrol->id.subdevice] [kcontrol->id.device].notify; + mutex_unlock(&loopback->cable_lock); return 0; }
@@ -877,12 +881,14 @@ static int loopback_notify_put(struct sn int change = 0;
val = ucontrol->value.integer.value[0] ? 1 : 0; + mutex_lock(&loopback->cable_lock); if (val != loopback->setup[kcontrol->id.subdevice] [kcontrol->id.device].notify) { loopback->setup[kcontrol->id.subdevice] [kcontrol->id.device].notify = val; change = 1; } + mutex_unlock(&loopback->cable_lock); return change; }
@@ -890,13 +896,16 @@ static int loopback_active_get(struct sn struct snd_ctl_elem_value *ucontrol) { struct loopback *loopback = snd_kcontrol_chip(kcontrol); - struct loopback_cable *cable = loopback->cables - [kcontrol->id.subdevice][kcontrol->id.device ^ 1]; + struct loopback_cable *cable; + unsigned int val = 0;
+ mutex_lock(&loopback->cable_lock); + cable = loopback->cables[kcontrol->id.subdevice][kcontrol->id.device ^ 1]; if (cable != NULL) val = (cable->running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0; + mutex_unlock(&loopback->cable_lock); ucontrol->value.integer.value[0] = val; return 0; } @@ -939,9 +948,11 @@ static int loopback_rate_get(struct snd_ { struct loopback *loopback = snd_kcontrol_chip(kcontrol); + mutex_lock(&loopback->cable_lock); ucontrol->value.integer.value[0] = loopback->setup[kcontrol->id.subdevice] [kcontrol->id.device].rate; + mutex_unlock(&loopback->cable_lock); return 0; }
@@ -961,9 +972,11 @@ static int loopback_channels_get(struct { struct loopback *loopback = snd_kcontrol_chip(kcontrol); + mutex_lock(&loopback->cable_lock); ucontrol->value.integer.value[0] = loopback->setup[kcontrol->id.subdevice] [kcontrol->id.device].channels; + mutex_unlock(&loopback->cable_lock); return 0; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hendrik Brueckner brueckner@linux.ibm.com
commit 4bbaf2584b86b0772413edeac22ff448f36351b1 upstream.
Correct a trinity finding for the perf_event_open() system call with a perf event attribute structure that uses a frequency but has the sampling frequency set to zero. This causes a FP divide exception during the sample rate initialization for the hardware sampling facility.
Fixes: 8c069ff4bd606 ("s390/perf: add support for the CPU-Measurement Sampling Facility") Reviewed-by: Heiko Carstens heiko.carstens@de.ibm.com Signed-off-by: Hendrik Brueckner brueckner@linux.ibm.com Signed-off-by: Martin Schwidefsky schwidefsky@de.ibm.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/s390/kernel/perf_cpum_sf.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/arch/s390/kernel/perf_cpum_sf.c +++ b/arch/s390/kernel/perf_cpum_sf.c @@ -744,6 +744,10 @@ static int __hw_perf_event_init(struct p */ rate = 0; if (attr->freq) { + if (!attr->sample_freq) { + err = -EINVAL; + goto out; + } rate = freq_to_sample_rate(&si, attr->sample_freq); rate = hw_limit_rate(&si, rate); attr->freq = 0;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Roland Dreier roland@purestorage.com
commit 8435168d50e66fa5eae01852769d20a36f9e5e83 upstream.
Check to make sure that ctx->cm_id->device is set before we use it. Otherwise userspace can trigger a NULL dereference by doing RDMA_USER_CM_CMD_SET_OPTION on an ID that is not bound to a device.
Reported-by: syzbot+a67bc93e14682d92fc2f@syzkaller.appspotmail.com Signed-off-by: Roland Dreier roland@purestorage.com Signed-off-by: Jason Gunthorpe jgg@mellanox.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/infiniband/core/ucma.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1142,6 +1142,9 @@ static int ucma_set_ib_path(struct ucma_ if (!optlen) return -EINVAL;
+ if (!ctx->cm_id->device) + return -EINVAL; + memset(&sa_path, 0, sizeof(sa_path)); sa_path.vlan_id = 0xffff;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet edumazet@google.com
commit a466856e0b7ab269cdf9461886d007e88ff575b0 upstream.
syzbot reported :
BUG: KMSAN: uninit-value in alg_bind+0xe3/0xd90 crypto/af_alg.c:162
We need to check addr_len before dereferencing sa (or uaddr)
Fixes: bb30b8848c85 ("crypto: af_alg - whitelist mask and type") Signed-off-by: Eric Dumazet edumazet@google.com Reported-by: syzbot syzkaller@googlegroups.com Cc: Stephan Mueller smueller@chronox.de Cc: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- crypto/af_alg.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
--- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -157,16 +157,16 @@ static int alg_bind(struct socket *sock, void *private; int err;
- /* If caller uses non-allowed flag, return error. */ - if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) - return -EINVAL; - if (sock->state == SS_CONNECTED) return -EINVAL;
if (addr_len != sizeof(*sa)) return -EINVAL;
+ /* If caller uses non-allowed flag, return error. */ + if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) + return -EINVAL; + sa->salg_type[sizeof(sa->salg_type) - 1] = 0; sa->salg_name[sizeof(sa->salg_name) - 1] = 0;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault g.nault@alphalink.fr
commit eb1c28c05894a4b1f6b56c5bf072205e64cfa280 upstream.
Check sockaddr_len before dereferencing sp->sa_protocol, to ensure that it actually points to valid data.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Reported-by: syzbot+a70ac890b23b1bf29f5c@syzkaller.appspotmail.com Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/l2tp/l2tp_ppp.c | 7 +++++++ 1 file changed, 7 insertions(+)
--- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -641,6 +641,13 @@ static int pppol2tp_connect(struct socke lock_sock(sk);
error = -EINVAL; + + if (sockaddr_len != sizeof(struct sockaddr_pppol2tp) && + sockaddr_len != sizeof(struct sockaddr_pppol2tpv3) && + sockaddr_len != sizeof(struct sockaddr_pppol2tpin6) && + sockaddr_len != sizeof(struct sockaddr_pppol2tpv3in6)) + goto end; + if (sp->sa_protocol != PX_PROTO_OL2TP) goto end;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 1d8d6428d1da642ddd75b0be2d1bb1123ff8e017 upstream.
The Dell Dock USB-audio device with 0bda:4014 is behaving notoriously bad, and we have already applied some workaround to avoid the firmware hiccup. Yet we still need to skip one thing, the Extension Unit at ID 4, which doesn't react correctly to the mixer ctl access.
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1090658 Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/usb/mixer_maps.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/sound/usb/mixer_maps.c +++ b/sound/usb/mixer_maps.c @@ -346,8 +346,11 @@ static struct usbmix_name_map bose_compa /* * Dell usb dock with ALC4020 codec had a firmware problem where it got * screwed up when zero volume is passed; just skip it as a workaround + * + * Also the extension unit gives an access error, so skip it as well. */ static const struct usbmix_name_map dell_alc4020_map[] = { + { 4, NULL }, /* extension unit */ { 16, NULL }, { 19, NULL }, { 0 }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann daniel@iogearbox.net
commit 3aab8884c9eb99189a3569ac4e6b205371c9ac0b upstream.
While reviewing x64 JIT code, I noticed that we leak the prior allocated JIT image in the case where proglen != oldproglen during the JIT passes. Prior to the commit e0ee9c12157d ("x86: bpf_jit: fix two bugs in eBPF JIT compiler") we would just break out of the loop, and using the image as the JITed prog since it could only shrink in size anyway. After e0ee9c12157d, we would bail out to out_addrs label where we free addrs and jit_data but not the image coming from bpf_jit_binary_alloc().
Fixes: e0ee9c12157d ("x86: bpf_jit: fix two bugs in eBPF JIT compiler") Signed-off-by: Daniel Borkmann daniel@iogearbox.net Acked-by: Alexei Starovoitov ast@kernel.org Acked-by: David S. Miller davem@davemloft.net Signed-off-by: Alexei Starovoitov ast@kernel.org [bwh: Backported to 3.16: Deleted code is slightly different] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/net/bpf_jit_comp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -914,6 +914,7 @@ void bpf_int_jit_compile(struct sk_filte for (pass = 0; pass < 10 || image; pass++) { proglen = do_jit(prog, addrs, image, oldproglen, &ctx); if (proglen <= 0) { +out_image: image = NULL; if (header) module_free(NULL, header); @@ -923,7 +924,7 @@ void bpf_int_jit_compile(struct sk_filte if (proglen != oldproglen) { pr_err("bpf_jit: proglen=%d != oldproglen=%d\n", proglen, oldproglen); - goto out; + goto out_image; } break; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro viro@zeniv.linux.org.uk
commit 16a34adb9392b2fe4195267475ab5b472e55292c upstream.
We want it only for the stuff created by SB_KERNMOUNT mounts, *not* for their copies. As it is, creating a deep stack of bindings of /proc/*/ns/* somewhere in a new namespace and exiting yields a stack overflow.
Reported-by: Alexander Aring aring@mojatatu.com Bisected-by: Kirill Tkhai ktkhai@virtuozzo.com Tested-by: Kirill Tkhai ktkhai@virtuozzo.com Tested-by: Alexander Aring aring@mojatatu.com Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/namespace.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/namespace.c +++ b/fs/namespace.c @@ -903,7 +903,8 @@ static struct mount *clone_mnt(struct mo goto out_free; }
- mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~(MNT_WRITE_HOLD|MNT_MARKED); + mnt->mnt.mnt_flags = old->mnt.mnt_flags; + mnt->mnt.mnt_flags &= ~(MNT_WRITE_HOLD|MNT_MARKED|MNT_INTERNAL); /* Don't allow unprivileged users to change mount flags */ if (flag & CL_UNPRIVILEGED) { mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Maciej W. Rozycki" macro@mips.com
commit 9a3a92ccfe3620743d4ae57c987dc8e9c5f88996 upstream.
Check the TIF_32BIT_FPREGS task setting of the tracee rather than the tracer in determining the layout of floating-point general registers in the floating-point context, correcting access to odd-numbered registers for o32 tracees where the setting disagrees between the two processes.
Fixes: 597ce1723e0f ("MIPS: Support for 64-bit FP with O32 binaries") Signed-off-by: Maciej W. Rozycki macro@mips.com Cc: Ralf Baechle ralf@linux-mips.org Cc: linux-mips@linux-mips.org Signed-off-by: James Hogan jhogan@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/mips/kernel/ptrace.c | 4 ++-- arch/mips/kernel/ptrace32.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-)
--- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -741,7 +741,7 @@ long arch_ptrace(struct task_struct *chi fregs = get_fpu_regs(child);
#ifdef CONFIG_32BIT - if (test_thread_flag(TIF_32BIT_FPREGS)) { + if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { /* * The odd registers are actually the high * order bits of the values stored in the even @@ -830,7 +830,7 @@ long arch_ptrace(struct task_struct *chi
init_fp_ctx(child); #ifdef CONFIG_32BIT - if (test_thread_flag(TIF_32BIT_FPREGS)) { + if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { /* * The odd registers are actually the high * order bits of the values stored in the even --- a/arch/mips/kernel/ptrace32.c +++ b/arch/mips/kernel/ptrace32.c @@ -97,7 +97,7 @@ long compat_arch_ptrace(struct task_stru break; } fregs = get_fpu_regs(child); - if (test_thread_flag(TIF_32BIT_FPREGS)) { + if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { /* * The odd registers are actually the high * order bits of the values stored in the even @@ -203,7 +203,7 @@ long compat_arch_ptrace(struct task_stru sizeof(child->thread.fpu)); child->thread.fpu.fcr31 = 0; } - if (test_thread_flag(TIF_32BIT_FPREGS)) { + if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { /* * The odd registers are actually the high * order bits of the values stored in the even
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu herbert@gondor.apana.org.au
commit 900a081f6912a8985dc15380ec912752cb66025a upstream.
When we have an unaligned SG list entry where there is no leftover aligned data, the hash walk code will incorrectly return zero as if the entire SG list has been processed.
This patch fixes it by moving onto the next page instead.
Reported-by: Eli Cooper elicooper@gmx.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Ben Hutchings ben@decadent.org.uk --- crypto/ahash.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
--- a/crypto/ahash.c +++ b/crypto/ahash.c @@ -90,13 +90,14 @@ int crypto_hash_walk_done(struct crypto_
if (nbytes && walk->offset & alignmask && !err) { walk->offset = ALIGN(walk->offset, alignmask + 1); - walk->data += walk->offset; - nbytes = min(nbytes, ((unsigned int)(PAGE_SIZE)) - walk->offset); walk->entrylen -= nbytes;
- return nbytes; + if (nbytes) { + walk->data += walk->offset; + return nbytes; + } }
if (walk->flags & CRYPTO_ALG_ASYNC)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra peterz@infradead.org
commit 46b1b577229a091b137831becaa0fae8690ee15a upstream.
arch/x86/events/intel/cstate.c:307 cstate_pmu_event_init() warn: potential spectre issue 'pkg_msr' (local cap) arch/x86/events/intel/core.c:337 intel_pmu_event_map() warn: potential spectre issue 'intel_perfmon_event_map' arch/x86/events/intel/knc.c:122 knc_pmu_event_map() warn: potential spectre issue 'knc_perfmon_event_map' arch/x86/events/intel/p4.c:722 p4_pmu_event_map() warn: potential spectre issue 'p4_general_events' arch/x86/events/intel/p6.c:116 p6_pmu_event_map() warn: potential spectre issue 'p6_perfmon_event_map' arch/x86/events/amd/core.c:132 amd_pmu_event_map() warn: potential spectre issue 'amd_perfmon_event_map'
Userspace controls @attr, sanitize @attr->config before passing it on to x86_pmu::event_map().
Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Cc: Alexander Shishkin alexander.shishkin@linux.intel.com Cc: Arnaldo Carvalho de Melo acme@redhat.com Cc: Jiri Olsa jolsa@redhat.com Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Stephane Eranian eranian@google.com Cc: Thomas Gleixner tglx@linutronix.de Cc: Vince Weaver vincent.weaver@maine.edu Signed-off-by: Ingo Molnar mingo@kernel.org [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/kernel/cpu/perf_event.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/arch/x86/kernel/cpu/perf_event.c +++ b/arch/x86/kernel/cpu/perf_event.c @@ -25,6 +25,7 @@ #include <linux/cpu.h> #include <linux/bitops.h> #include <linux/device.h> +#include <linux/nospec.h>
#include <asm/apic.h> #include <asm/stacktrace.h> @@ -319,6 +320,8 @@ int x86_setup_perfctr(struct perf_event if (attr->config >= x86_pmu.max_events) return -EINVAL;
+ attr->config = array_index_nospec((unsigned long)attr->config, x86_pmu.max_events); + /* * The generic map: */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro viro@zeniv.linux.org.uk
commit 5aa1437d2d9a068c0334bd7c9dafa8ec4f97f13b upstream.
open file, unlink it, then use ioctl(2) to make it immutable or append only. Now close it and watch the blocks *not* freed...
Immutable/append-only checks belong in ->setattr(). Note: the bug is old and backport to anything prior to 737f2e93b972 ("ext2: convert to use the new truncate convention") will need these checks lifted into ext2_setattr().
Signed-off-by: Al Viro viro@zeniv.linux.org.uk [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/ext2/inode.c | 10 ---------- 1 file changed, 10 deletions(-)
--- a/fs/ext2/inode.c +++ b/fs/ext2/inode.c @@ -1169,21 +1169,11 @@ do_indirects:
static void ext2_truncate_blocks(struct inode *inode, loff_t offset) { - /* - * XXX: it seems like a bug here that we don't allow - * IS_APPEND inode to have blocks-past-i_size trimmed off. - * review and fix this. - * - * Also would be nice to be able to handle IO errors and such, - * but that's probably too much to ask. - */ if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode))) return; if (ext2_inode_is_fast_symlink(inode)) return; - if (IS_APPEND(inode) || IS_IMMUTABLE(inode)) - return; __ext2_truncate_blocks(inode, offset); }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich danilokrummrich@dk-develop.de
commit a0b0d1c345d0317efe594df268feb5ccc99f651e upstream.
proc_sys_link_fill_cache() does not take currently unregistering sysctl tables into account, which might result into a page fault in sysctl_follow_link() - add a check to fix it.
This bug has been present since v3.4.
Link: http://lkml.kernel.org/r/20180228013506.4915-1-danilokrummrich@dk-develop.de Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") Signed-off-by: Danilo Krummrich danilokrummrich@dk-develop.de Acked-by: Kees Cook keescook@chromium.org Reviewed-by: Andrew Morton akpm@linux-foundation.org Cc: "Luis R . Rodriguez" mcgrof@kernel.org Cc: "Eric W. Biederman" ebiederm@xmission.com Cc: Alexey Dobriyan adobriyan@gmail.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/proc/proc_sysctl.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/fs/proc/proc_sysctl.c +++ b/fs/proc/proc_sysctl.c @@ -654,7 +654,10 @@ static bool proc_sys_link_fill_cache(str struct ctl_table *table) { bool ret = true; + head = sysctl_head_grab(head); + if (IS_ERR(head)) + return false;
if (S_ISLNK(table->mode)) { /* It is not an error if we can not follow the link ignore it */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu mhiramat@kernel.org
commit eb0146daefdde65665b7f076fbff7b49dade95b9 upstream.
Prohibit kprobes on do_undefinstr because kprobes on arm is implemented by undefined instruction. This means if we probe do_undefinstr(), it can cause infinit recursive exception.
Fixes: 24ba613c9d6c ("ARM kprobes: core code") Signed-off-by: Masami Hiramatsu mhiramat@kernel.org Signed-off-by: Russell King rmk+kernel@armlinux.org.uk Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm/kernel/traps.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/arm/kernel/traps.c +++ b/arch/arm/kernel/traps.c @@ -19,6 +19,7 @@ #include <linux/uaccess.h> #include <linux/hardirq.h> #include <linux/kdebug.h> +#include <linux/kprobes.h> #include <linux/module.h> #include <linux/kexec.h> #include <linux/bug.h> @@ -392,7 +393,8 @@ void unregister_undef_hook(struct undef_ raw_spin_unlock_irqrestore(&undef_lock, flags); }
-static int call_undef_hook(struct pt_regs *regs, unsigned int instr) +static nokprobe_inline +int call_undef_hook(struct pt_regs *regs, unsigned int instr) { struct undef_hook *hook; unsigned long flags; @@ -465,6 +467,7 @@ die_sig:
arm_notify_die("Oops - undefined instruction", regs, &info, 0, 6); } +NOKPROBE_SYMBOL(do_undefinstr)
asmlinkage void do_unexp_fiq (struct pt_regs *regs) {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro viro@zeniv.linux.org.uk
commit b231509616feb911c2a7a8814d58c0014ef5b17f upstream.
Currently udf_iget() (triggered by NFS) can race with udf_new_inode() leading to two inode structures with the same inode number:
nfsd: iget_locked() creates inode nfsd: try to read from disk, block on that. udf_new_inode(): allocate inode with that inumber udf_new_inode(): insert it into icache, set it up and dirty udf_write_inode(): write inode into buffer cache nfsd: get CPU again, look into buffer cache, see nice and sane on-disk inode, set the in-core inode from it
Fix the problem by putting inode into icache in locked state (I_NEW set) and unlocking it only after it's fully set up.
Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Jan Kara jack@suse.cz Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/udf/ialloc.c | 7 ++++++- fs/udf/namei.c | 7 +++++++ 2 files changed, 13 insertions(+), 1 deletion(-)
--- a/fs/udf/ialloc.c +++ b/fs/udf/ialloc.c @@ -123,7 +123,12 @@ struct inode *udf_new_inode(struct inode iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG; inode->i_mtime = inode->i_atime = inode->i_ctime = iinfo->i_crtime = current_fs_time(inode->i_sb); - insert_inode_hash(inode); + if (unlikely(insert_inode_locked(inode) < 0)) { + make_bad_inode(inode); + iput(inode); + *err = -EIO; + return NULL; + } mark_inode_dirty(inode);
*err = 0; --- a/fs/udf/namei.c +++ b/fs/udf/namei.c @@ -562,6 +562,7 @@ static int udf_add_nondir(struct dentry fi = udf_add_entry(dir, dentry, &fibh, &cfi, &err); if (unlikely(!fi)) { inode_dec_link_count(inode); + unlock_new_inode(inode); iput(inode); return err; } @@ -575,6 +576,7 @@ static int udf_add_nondir(struct dentry if (fibh.sbh != fibh.ebh) brelse(fibh.ebh); brelse(fibh.sbh); + unlock_new_inode(inode); d_instantiate(dentry, inode);
return 0; @@ -622,6 +624,7 @@ static int udf_tmpfile(struct inode *dir mark_inode_dirty(inode);
d_tmpfile(dentry, inode); + unlock_new_inode(inode); return 0; }
@@ -663,6 +666,7 @@ static int udf_mkdir(struct inode *dir, fi = udf_add_entry(inode, NULL, &fibh, &cfi, &err); if (!fi) { inode_dec_link_count(inode); + unlock_new_inode(inode); iput(inode); goto out; } @@ -681,6 +685,7 @@ static int udf_mkdir(struct inode *dir, if (!fi) { clear_nlink(inode); mark_inode_dirty(inode); + unlock_new_inode(inode); iput(inode); goto out; } @@ -692,6 +697,7 @@ static int udf_mkdir(struct inode *dir, udf_write_fi(dir, &cfi, fi, &fibh, NULL, NULL); inc_nlink(dir); mark_inode_dirty(dir); + unlock_new_inode(inode); d_instantiate(dentry, inode); if (fibh.sbh != fibh.ebh) brelse(fibh.ebh); @@ -999,6 +1005,7 @@ out: out_no_entry: up_write(&iinfo->i_data_sem); inode_dec_link_count(inode); + unlock_new_inode(inode); iput(inode); goto out; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marek Lindner mareklindner@neomailbox.ch
commit 16116dac23396e73c01eeee97b102e4833a4b205 upstream.
A translation table TVLV changset sent with an OGM consists of a number of headers (one per VLAN) plus the changeset itself (addition and/or deletion of entries).
The per-VLAN headers are used by OGM recipients for consistency checks. Said consistency check might determine that a full translation table request is needed to restore consistency. If the TT sender adds per-VLAN headers of empty VLANs into the OGM, recipients are led to believe to have reached an inconsistent state and thus request a full table update. The full table does not contain empty VLANs (due to missing entries) the cycle restarts when the next OGM is issued.
Consequently, when the translation table TVLV headers are composed, empty VLANs are to be excluded.
Fixes: 21a57f6e7a3b ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by: Marek Lindner mareklindner@neomailbox.ch Signed-off-by: Sven Eckelmann sven@narfation.org Signed-off-by: Simon Wunderlich sw@simonwunderlich.de [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -786,14 +786,21 @@ batadv_tt_prepare_tvlv_local_data(struct { struct batadv_tvlv_tt_vlan_data *tt_vlan; struct batadv_softif_vlan *vlan; - uint16_t num_vlan = 0, num_entries = 0, tvlv_len; + u16 num_vlan = 0; + u16 vlan_entries = 0; + u16 total_entries = 0; + u16 tvlv_len; uint8_t *tt_change_ptr; int change_offset;
spin_lock_bh(&bat_priv->softif_vlan_list_lock); hlist_for_each_entry_rcu(vlan, &bat_priv->softif_vlan_list, list) { + vlan_entries = atomic_read(&vlan->tt.num_entries); + if (vlan_entries < 1) + continue; + num_vlan++; - num_entries += atomic_read(&vlan->tt.num_entries); + total_entries += vlan_entries; }
change_offset = sizeof(**tt_data); @@ -801,7 +808,7 @@ batadv_tt_prepare_tvlv_local_data(struct
/* if tt_len is negative, allocate the space needed by the full table */ if (*tt_len < 0) - *tt_len = batadv_tt_len(num_entries); + *tt_len = batadv_tt_len(total_entries);
tvlv_len = *tt_len; tvlv_len += change_offset; @@ -818,6 +825,10 @@ batadv_tt_prepare_tvlv_local_data(struct
tt_vlan = (struct batadv_tvlv_tt_vlan_data *)(*tt_data + 1); hlist_for_each_entry_rcu(vlan, &bat_priv->softif_vlan_list, list) { + vlan_entries = atomic_read(&vlan->tt.num_entries); + if (vlan_entries < 1) + continue; + tt_vlan->vid = htons(vlan->vid); tt_vlan->crc = htonl(vlan->tt.crc);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joakim Tjernlund joakim.tjernlund@infinera.com
commit 7b70eb14392a7cf505f9b358d06c33b5af73d1e7 upstream.
Currently it is possible to read and/or write to suspend EB's. Writing /dev/mtdX or /dev/mtdblockX from several processes may break the flash state machine.
Taken from cfi_cmdset_0001 driver.
Signed-off-by: Joakim Tjernlund joakim.tjernlund@infinera.com Reviewed-by: Richard Weinberger richard@nod.at Signed-off-by: Boris Brezillon boris.brezillon@bootlin.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/mtd/chips/cfi_cmdset_0002.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/mtd/chips/cfi_cmdset_0002.c +++ b/drivers/mtd/chips/cfi_cmdset_0002.c @@ -780,9 +780,10 @@ static int get_chip(struct map_info *map (mode == FL_WRITING && (cfip->EraseSuspend & 0x2)))) goto sleep;
- /* We could check to see if we're trying to access the sector - * that is currently being erased. However, no user will try - * anything like that so we just wait for the timeout. */ + /* Do not allow suspend iff read/write to EB address */ + if ((adr & chip->in_progress_block_mask) == + chip->in_progress_block_addr) + goto sleep;
/* Erase suspend */ /* It's harmless to issue the Erase-Suspend and Erase-Resume @@ -1926,6 +1927,7 @@ static int __xipram do_erase_chip(struct chip->state = FL_ERASING; chip->erase_suspended = 0; chip->in_progress_block_addr = adr; + chip->in_progress_block_mask = ~(map->size - 1);
INVALIDATE_CACHE_UDELAY(map, chip, adr, map->size, @@ -2015,6 +2017,7 @@ static int __xipram do_erase_oneblock(st chip->state = FL_ERASING; chip->erase_suspended = 0; chip->in_progress_block_addr = adr; + chip->in_progress_block_mask = ~(len - 1);
INVALIDATE_CACHE_UDELAY(map, chip, adr, len,
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit f6d297df4dd47ef949540e4a201230d0c5308325 upstream.
The previous fix 40cab6e88cb0 ("ALSA: pcm: Return -EBUSY for OSS ioctls changing busy streams") introduced some mutex unbalance; the check of runtime->oss.rw_ref was inserted in a wrong place after the mutex lock.
This patch fixes the inconsistency by rewriting with the helper functions to lock/unlock parameters with the stream check.
Fixes: 40cab6e88cb0 ("ALSA: pcm: Return -EBUSY for OSS ioctls changing busy streams") Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/core/oss/pcm_oss.c | 67 +++++++++++++++++++++++++--------------- 1 file changed, 42 insertions(+), 25 deletions(-)
--- a/sound/core/oss/pcm_oss.c +++ b/sound/core/oss/pcm_oss.c @@ -833,6 +833,23 @@ static int choose_rate(struct snd_pcm_su return snd_pcm_hw_param_near(substream, params, SNDRV_PCM_HW_PARAM_RATE, best_rate, NULL); }
+/* parameter locking: returns immediately if tried during streaming */ +static int lock_params(struct snd_pcm_runtime *runtime) +{ + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; + if (atomic_read(&runtime->oss.rw_ref)) { + mutex_unlock(&runtime->oss.params_lock); + return -EBUSY; + } + return 0; +} + +static void unlock_params(struct snd_pcm_runtime *runtime) +{ + mutex_unlock(&runtime->oss.params_lock); +} + /* call with params_lock held */ static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream) { @@ -1774,6 +1791,8 @@ static int snd_pcm_oss_set_rate(struct s for (idx = 1; idx >= 0; --idx) { struct snd_pcm_substream *substream = pcm_oss_file->streams[idx]; struct snd_pcm_runtime *runtime; + int err; + if (substream == NULL) continue; runtime = substream->runtime; @@ -1781,15 +1800,14 @@ static int snd_pcm_oss_set_rate(struct s rate = 1000; else if (rate > 192000) rate = 192000; - if (mutex_lock_interruptible(&runtime->oss.params_lock)) - return -ERESTARTSYS; - if (atomic_read(&runtime->oss.rw_ref)) - return -EBUSY; + err = lock_params(runtime); + if (err < 0) + return err; if (runtime->oss.rate != rate) { runtime->oss.params = 1; runtime->oss.rate = rate; } - mutex_unlock(&runtime->oss.params_lock); + unlock_params(runtime); } return snd_pcm_oss_get_rate(pcm_oss_file); } @@ -1814,18 +1832,19 @@ static int snd_pcm_oss_set_channels(stru for (idx = 1; idx >= 0; --idx) { struct snd_pcm_substream *substream = pcm_oss_file->streams[idx]; struct snd_pcm_runtime *runtime; + int err; + if (substream == NULL) continue; runtime = substream->runtime; - if (mutex_lock_interruptible(&runtime->oss.params_lock)) - return -ERESTARTSYS; - if (atomic_read(&runtime->oss.rw_ref)) - return -EBUSY; + err = lock_params(runtime); + if (err < 0) + return err; if (runtime->oss.channels != channels) { runtime->oss.params = 1; runtime->oss.channels = channels; } - mutex_unlock(&runtime->oss.params_lock); + unlock_params(runtime); } return snd_pcm_oss_get_channels(pcm_oss_file); } @@ -1896,6 +1915,7 @@ static int snd_pcm_oss_get_formats(struc static int snd_pcm_oss_set_format(struct snd_pcm_oss_file *pcm_oss_file, int format) { int formats, idx; + int err; if (format != AFMT_QUERY) { formats = snd_pcm_oss_get_formats(pcm_oss_file); @@ -1909,15 +1929,14 @@ static int snd_pcm_oss_set_format(struct if (substream == NULL) continue; runtime = substream->runtime; - if (atomic_read(&runtime->oss.rw_ref)) - return -EBUSY; - if (mutex_lock_interruptible(&runtime->oss.params_lock)) - return -ERESTARTSYS; + err = lock_params(runtime); + if (err < 0) + return err; if (runtime->oss.format != format) { runtime->oss.params = 1; runtime->oss.format = format; } - mutex_unlock(&runtime->oss.params_lock); + unlock_params(runtime); } } return snd_pcm_oss_get_format(pcm_oss_file); @@ -1965,12 +1984,11 @@ static int snd_pcm_oss_set_subdivide(str if (substream == NULL) continue; runtime = substream->runtime; - if (atomic_read(&runtime->oss.rw_ref)) - return -EBUSY; - if (mutex_lock_interruptible(&runtime->oss.params_lock)) - return -ERESTARTSYS; + err = lock_params(runtime); + if (err < 0) + return err; err = snd_pcm_oss_set_subdivide1(substream, subdivide); - mutex_unlock(&runtime->oss.params_lock); + unlock_params(runtime); if (err < 0) return err; } @@ -2005,12 +2023,11 @@ static int snd_pcm_oss_set_fragment(stru if (substream == NULL) continue; runtime = substream->runtime; - if (atomic_read(&runtime->oss.rw_ref)) - return -EBUSY; - if (mutex_lock_interruptible(&runtime->oss.params_lock)) - return -ERESTARTSYS; + err = lock_params(runtime); + if (err < 0) + return err; err = snd_pcm_oss_set_fragment1(substream, val); - mutex_unlock(&runtime->oss.params_lock); + unlock_params(runtime); if (err < 0) return err; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mike Galbraith efault@gmx.de
commit 83929cce95251cc77e5659bf493bd424ae0e7a67 upstream.
Michael Kerrisk reported:
Regarding the previous paragraph... My tests indicate that writing *any* value to the autogroup [nice priority level] file causes the task group to get a lower priority.
Because autogroup didn't call the then meaningless scale_load()...
Autogroup nice level adjustment has been broken ever since load resolution was increased for 64-bit kernels. Use scale_load() to scale group weight.
Michael Kerrisk tested this patch to fix the problem:
Applied and tested against 4.9-rc6 on an Intel u7 (4 cores). Test setup:
Terminal window 1: running 40 CPU burner jobs Terminal window 2: running 40 CPU burner jobs Terminal window 1: running 1 CPU burner job
Demonstrated that:
- Writing "0" to the autogroup file for TW1 now causes no change to the rate at which the process on the terminal consume CPU.
- Writing -20 to the autogroup file for TW1 caused those processes to get the lion's share of CPU while TW2 TW3 get a tiny amount.
- Writing -20 to the autogroup files for TW1 and TW3 allowed the process on TW3 to get as much CPU as it was getting as when the autogroup nice values for both terminals were 0.
Reported-by: Michael Kerrisk mtk.manpages@gmail.com Tested-by: Michael Kerrisk mtk.manpages@gmail.com Signed-off-by: Mike Galbraith umgwanakikbuti@gmail.com Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra a.p.zijlstra@chello.nl Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Cc: linux-man linux-man@vger.kernel.org Link: http://lkml.kernel.org/r/1479897217.4306.6.camel@gmx.de Signed-off-by: Ingo Molnar mingo@kernel.org [bwh: Backported to 3.16: s/sched_prio_to_weight/prio_to_weight/] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/sched/auto_group.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/kernel/sched/auto_group.c +++ b/kernel/sched/auto_group.c @@ -197,6 +197,7 @@ int proc_sched_autogroup_set_nice(struct { static unsigned long next = INITIAL_JIFFIES; struct autogroup *ag; + unsigned long shares; int err;
if (nice < MIN_NICE || nice > MAX_NICE) @@ -215,9 +216,10 @@ int proc_sched_autogroup_set_nice(struct
next = HZ / 10 + jiffies; ag = autogroup_task_get(p); + shares = scale_load(prio_to_weight[nice + 20]);
down_write(&ag->lock); - err = sched_group_set_shares(ag->tg, prio_to_weight[nice + 20]); + err = sched_group_set_shares(ag->tg, shares); if (!err) ag->nice = nice; up_write(&ag->lock);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florent Flament contact@florentflament.com
commit e8f48f96db7e482995743f461b3e8a5c1a102533 upstream.
Fix `[drm:intel_enable_lvds] *ERROR* timed out waiting for panel to power on` in kernel log at boot time.
Toshiba Satellite Z930 laptops needs between 1 and 2 seconds to power on its screen during Intel i915 DRM initialization. This currently results in a `[drm:intel_enable_lvds] *ERROR* timed out waiting for panel to power on` message appearing in the kernel log during boot time and when stopping the machine.
This change increases the timeout of the `intel_enable_lvds` function from 1 to 5 seconds, letting enough time for the Satellite 930 LCD screen to power on, and suppressing the error message from the kernel log.
This patch has been successfully tested on Linux 4.14 running on a Toshiba Satellite Z930.
[vsyrjala: bump the timeout from 2 to 5 seconds to match the DP code and properly cover the max hw timeout of ~4 seconds, and drop the comment about the specific machine since this is not a particulary surprising issue, nor specific to that one machine]
Signed-off-by: Florent Flament contact@florentflament.com Cc: Pavel Petrovic ppetrovic@acm.org Cc: Sérgio M. Basto sergio@serjux.com Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103414 References: https://bugzilla.kernel.org/show_bug.cgi?id=57591 Signed-off-by: Ville Syrjälä ville.syrjala@linux.intel.com Link: https://patchwork.freedesktop.org/patch/msgid/20180419160700.19828-1-ville.s... Reviewed-by: Jani Nikula jani.nikula@intel.com (cherry picked from commit 280b54ade5914d3b4abe4f0ebe083ddbd4603246) Signed-off-by: Joonas Lahtinen joonas.lahtinen@linux.intel.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/i915/intel_lvds.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/intel_lvds.c +++ b/drivers/gpu/drm/i915/intel_lvds.c @@ -219,7 +219,8 @@ static void intel_enable_lvds(struct int
I915_WRITE(ctl_reg, I915_READ(ctl_reg) | POWER_TARGET_ON); POSTING_READ(lvds_encoder->reg); - if (wait_for((I915_READ(stat_reg) & PP_ON) != 0, 1000)) + + if (wait_for((I915_READ(stat_reg) & PP_ON) != 0, 5000)) DRM_ERROR("timed out waiting for panel to power on\n");
intel_panel_enable_backlight(intel_connector);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long lucien.xin@gmail.com
commit 1071ec9d453a38023579714b64a951a2fb982071 upstream.
pf->cmp_addr() is called before binding a v6 address to the sock. It should not check ports, like in sctp_inet_cmp_addr.
But sctp_inet6_cmp_addr checks the addr by invoking af(6)->cmp_addr, sctp_v6_cmp_addr where it also compares the ports.
This would cause that setsockopt(SCTP_SOCKOPT_BINDX_ADD) could bind multiple duplicated IPv6 addresses after Commit 40b4f0fd74e4 ("sctp: lack the check for ports in sctp_v6_cmp_addr").
This patch is to remove af->cmp_addr called in sctp_inet6_cmp_addr, but do the proper check for both v6 addrs and v4mapped addrs.
v1->v2: - define __sctp_v6_cmp_addr to do the common address comparison used for both pf and af v6 cmp_addr.
Fixes: 40b4f0fd74e4 ("sctp: lack the check for ports in sctp_v6_cmp_addr") Reported-by: Jianwen Ji jiji@redhat.com Signed-off-by: Xin Long lucien.xin@gmail.com Acked-by: Neil Horman nhorman@tuxdriver.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/sctp/ipv6.c | 60 ++++++++++++++++++++++++------------------------- 1 file changed, 30 insertions(+), 30 deletions(-)
--- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c @@ -496,46 +496,49 @@ static void sctp_v6_to_addr(union sctp_a addr->v6.sin6_scope_id = 0; }
-/* Compare addresses exactly. - * v4-mapped-v6 is also in consideration. - */ -static int sctp_v6_cmp_addr(const union sctp_addr *addr1, - const union sctp_addr *addr2) +static int __sctp_v6_cmp_addr(const union sctp_addr *addr1, + const union sctp_addr *addr2) { if (addr1->sa.sa_family != addr2->sa.sa_family) { if (addr1->sa.sa_family == AF_INET && addr2->sa.sa_family == AF_INET6 && - ipv6_addr_v4mapped(&addr2->v6.sin6_addr)) { - if (addr2->v6.sin6_port == addr1->v4.sin_port && - addr2->v6.sin6_addr.s6_addr32[3] == - addr1->v4.sin_addr.s_addr) - return 1; - } + ipv6_addr_v4mapped(&addr2->v6.sin6_addr) && + addr2->v6.sin6_addr.s6_addr32[3] == + addr1->v4.sin_addr.s_addr) + return 1; + if (addr2->sa.sa_family == AF_INET && addr1->sa.sa_family == AF_INET6 && - ipv6_addr_v4mapped(&addr1->v6.sin6_addr)) { - if (addr1->v6.sin6_port == addr2->v4.sin_port && - addr1->v6.sin6_addr.s6_addr32[3] == - addr2->v4.sin_addr.s_addr) - return 1; - } + ipv6_addr_v4mapped(&addr1->v6.sin6_addr) && + addr1->v6.sin6_addr.s6_addr32[3] == + addr2->v4.sin_addr.s_addr) + return 1; + return 0; } - if (addr1->v6.sin6_port != addr2->v6.sin6_port) - return 0; + if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr)) return 0; + /* If this is a linklocal address, compare the scope_id. */ - if (ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) { - if (addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id && - (addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id)) { - return 0; - } - } + if ((ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) && + addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id && + addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id) + return 0;
return 1; }
+/* Compare addresses exactly. + * v4-mapped-v6 is also in consideration. + */ +static int sctp_v6_cmp_addr(const union sctp_addr *addr1, + const union sctp_addr *addr2) +{ + return __sctp_v6_cmp_addr(addr1, addr2) && + addr1->v6.sin6_port == addr2->v6.sin6_port; +} + /* Initialize addr struct to INADDR_ANY. */ static void sctp_v6_inaddr_any(union sctp_addr *addr, __be16 port) { @@ -820,8 +823,8 @@ static int sctp_inet6_cmp_addr(const uni const union sctp_addr *addr2, struct sctp_sock *opt) { - struct sctp_af *af1, *af2; struct sock *sk = sctp_opt2sk(opt); + struct sctp_af *af1, *af2;
af1 = sctp_get_af_specific(addr1->sa.sa_family); af2 = sctp_get_af_specific(addr2->sa.sa_family); @@ -837,10 +840,7 @@ static int sctp_inet6_cmp_addr(const uni if (sctp_is_any(sk, addr1) || sctp_is_any(sk, addr2)) return 1;
- if (addr1->sa.sa_family != addr2->sa.sa_family) - return 0; - - return af1->cmp_addr(addr1, addr2); + return __sctp_v6_cmp_addr(addr1, addr2); }
/* Verify that the provided sockaddr looks bindable. Common verification,
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet edumazet@google.com
commit 2c5d5b13c6eb79f5677e206b8aad59b3a2097f60 upstream.
syzbot loves to set very small mtu on devices, since it brings joy. We must make llc_ui_sendmsg() fool proof.
usercopy: Kernel memory overwrite attempt detected to wrapped address (offset 0, size 18446612139802320068)!
kernel BUG at mm/usercopy.c:100! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 17464 Comm: syz-executor1 Not tainted 4.17.0-rc3+ #36 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:usercopy_abort+0xbb/0xbd mm/usercopy.c:88 RSP: 0018:ffff8801868bf800 EFLAGS: 00010282 RAX: 000000000000006c RBX: ffffffff87d2fb00 RCX: 0000000000000000 RDX: 000000000000006c RSI: ffffffff81610731 RDI: ffffed0030d17ef6 RBP: ffff8801868bf858 R08: ffff88018daa4200 R09: ffffed003b5c4fb0 R10: ffffed003b5c4fb0 R11: ffff8801dae27d87 R12: ffffffff87d2f8e0 R13: ffffffff87d2f7a0 R14: ffffffff87d2f7a0 R15: ffffffff87d2f7a0 FS: 00007f56a14ac700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2bc21000 CR3: 00000001abeb1000 CR4: 00000000001426f0 DR0: 0000000020000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000030602 Call Trace: check_bogus_address mm/usercopy.c:153 [inline] __check_object_size+0x5d9/0x5d9 mm/usercopy.c:256 check_object_size include/linux/thread_info.h:108 [inline] check_copy_size include/linux/thread_info.h:139 [inline] copy_from_iter_full include/linux/uio.h:121 [inline] memcpy_from_msg include/linux/skbuff.h:3305 [inline] llc_ui_sendmsg+0x4b1/0x1530 net/llc/af_llc.c:941 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 __sys_sendto+0x3d7/0x670 net/socket.c:1789 __do_sys_sendto net/socket.c:1801 [inline] __se_sys_sendto net/socket.c:1797 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1797 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455979 RSP: 002b:00007f56a14abc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f56a14ac6d4 RCX: 0000000000455979 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000018 RBP: 000000000072bea0 R08: 00000000200012c0 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000548 R14: 00000000006fbf60 R15: 0000000000000000 Code: 55 c0 e8 c0 55 bb ff ff 75 c8 48 8b 55 c0 4d 89 f9 ff 75 d0 4d 89 e8 48 89 d9 4c 89 e6 41 56 48 c7 c7 80 fa d2 87 e8 a0 0b a3 ff <0f> 0b e8 95 55 bb ff e8 c0 a8 f7 ff 8b 95 14 ff ff ff 4d 89 e8 RIP: usercopy_abort+0xbb/0xbd mm/usercopy.c:88 RSP: ffff8801868bf800
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet edumazet@google.com Reported-by: syzbot syzkaller@googlegroups.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/llc/af_llc.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/net/llc/af_llc.c +++ b/net/llc/af_llc.c @@ -925,6 +925,9 @@ static int llc_ui_sendmsg(struct kiocb * if (size > llc->dev->mtu) size = llc->dev->mtu; copied = size - hdrlen; + rc = -EINVAL; + if (copied < 0) + goto release; release_sock(sk); skb = sock_alloc_send_skb(sk, size, noblock, &rc); lock_sock(sk);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Toshiaki Makita makita.toshiaki@lab.ntt.co.jp
commit 7ce2367254e84753bceb07327aaf5c953cfce117 upstream.
Syzkaller spotted an old bug which leads to reading skb beyond tail by 4 bytes on vlan tagged packets. This is caused because skb_vlan_tagged_multi() did not check skb_headlen.
BUG: KMSAN: uninit-value in eth_type_vlan include/linux/if_vlan.h:283 [inline] BUG: KMSAN: uninit-value in skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline] BUG: KMSAN: uninit-value in vlan_features_check include/linux/if_vlan.h:672 [inline] BUG: KMSAN: uninit-value in dflt_features_check net/core/dev.c:2949 [inline] BUG: KMSAN: uninit-value in netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009 CPU: 1 PID: 3582 Comm: syzkaller435149 Not tainted 4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 eth_type_vlan include/linux/if_vlan.h:283 [inline] skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline] vlan_features_check include/linux/if_vlan.h:672 [inline] dflt_features_check net/core/dev.c:2949 [inline] netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009 validate_xmit_skb+0x89/0x1320 net/core/dev.c:3084 __dev_queue_xmit+0x1cb2/0x2b60 net/core/dev.c:3549 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590 packet_snd net/packet/af_packet.c:2944 [inline] packet_sendmsg+0x7c57/0x8a10 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] sock_write_iter+0x3b9/0x470 net/socket.c:909 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776 do_iter_write+0x30d/0xd40 fs/read_write.c:932 vfs_writev fs/read_write.c:977 [inline] do_writev+0x3c9/0x830 fs/read_write.c:1012 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085 SyS_writev+0x56/0x80 fs/read_write.c:1082 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x43ffa9 RSP: 002b:00007fff2cff3948 EFLAGS: 00000217 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 RDX: 0000000000000001 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018d0 R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc_node mm/slub.c:2737 [inline] __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:984 [inline] alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234 sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085 packet_alloc_skb net/packet/af_packet.c:2803 [inline] packet_snd net/packet/af_packet.c:2894 [inline] packet_sendmsg+0x6444/0x8a10 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] sock_write_iter+0x3b9/0x470 net/socket.c:909 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776 do_iter_write+0x30d/0xd40 fs/read_write.c:932 vfs_writev fs/read_write.c:977 [inline] do_writev+0x3c9/0x830 fs/read_write.c:1012 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085 SyS_writev+0x56/0x80 fs/read_write.c:1082 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
Fixes: 58e998c6d239 ("offloading: Force software GSO for multiple vlan tags.") Reported-and-tested-by: syzbot+0bbe42c764feafa82c5a@syzkaller.appspotmail.com Signed-off-by: Toshiaki Makita makita.toshiaki@lab.ntt.co.jp Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: The unchecked read is in netif_skb_features()] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/net/core/dev.c +++ b/net/core/dev.c @@ -2608,7 +2608,8 @@ netdev_features_t netif_skb_features(str
if (!vlan_tx_tag_present(skb)) { if (unlikely(protocol == htons(ETH_P_8021Q) || - protocol == htons(ETH_P_8021AD))) { + protocol == htons(ETH_P_8021AD)) && + likely(pskb_may_pull(skb, VLAN_ETH_HLEN))) { struct vlan_ethhdr *veh = (struct vlan_ethhdr *)skb->data; protocol = veh->h_vlan_encapsulated_proto; } else {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joakim Tjernlund joakim.tjernlund@transmode.se
commit 6510bbc88e3258631831ade49033537081950605 upstream.
Currently it is possible to read and/or write to suspend EB's. Writing /dev/mtdX or /dev/mtdblockX from several processes may break the flash state machine.
Signed-off-by: Joakim Tjernlund joakim.tjernlund@infinera.com Reviewed-by: Richard Weinberger richard@nod.at Signed-off-by: Boris Brezillon boris.brezillon@bootlin.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/mtd/chips/cfi_cmdset_0001.c | 16 +++++++++++----- include/linux/mtd/flashchip.h | 1 + 2 files changed, 12 insertions(+), 5 deletions(-)
--- a/drivers/mtd/chips/cfi_cmdset_0001.c +++ b/drivers/mtd/chips/cfi_cmdset_0001.c @@ -825,21 +825,25 @@ static int chip_ready (struct map_info * (mode == FL_WRITING && (cfip->SuspendCmdSupport & 1)))) goto sleep;
+ /* Do not allow suspend iff read/write to EB address */ + if ((adr & chip->in_progress_block_mask) == + chip->in_progress_block_addr) + goto sleep;
/* Erase suspend */ - map_write(map, CMD(0xB0), adr); + map_write(map, CMD(0xB0), chip->in_progress_block_addr);
/* If the flash has finished erasing, then 'erase suspend' * appears to make some (28F320) flash devices switch to * 'read' mode. Make sure that we switch to 'read status' * mode so we get the right data. --rmk */ - map_write(map, CMD(0x70), adr); + map_write(map, CMD(0x70), chip->in_progress_block_addr); chip->oldstate = FL_ERASING; chip->state = FL_ERASE_SUSPENDING; chip->erase_suspended = 1; for (;;) { - status = map_read(map, adr); + status = map_read(map, chip->in_progress_block_addr); if (map_word_andequal(map, status, status_OK, status_OK)) break;
@@ -1035,8 +1039,8 @@ static void put_chip(struct map_info *ma sending the 0x70 (Read Status) command to an erasing chip and expecting it to be ignored, that's what we do. */ - map_write(map, CMD(0xd0), adr); - map_write(map, CMD(0x70), adr); + map_write(map, CMD(0xd0), chip->in_progress_block_addr); + map_write(map, CMD(0x70), chip->in_progress_block_addr); chip->oldstate = FL_READY; chip->state = FL_ERASING; break; @@ -1927,6 +1931,8 @@ static int __xipram do_erase_oneblock(st map_write(map, CMD(0xD0), adr); chip->state = FL_ERASING; chip->erase_suspended = 0; + chip->in_progress_block_addr = adr; + chip->in_progress_block_mask = ~(len - 1);
ret = INVAL_CACHE_AND_WAIT(map, chip, adr, adr, len, --- a/include/linux/mtd/flashchip.h +++ b/include/linux/mtd/flashchip.h @@ -85,6 +85,7 @@ struct flchip { unsigned int write_suspended:1; unsigned int erase_suspended:1; unsigned long in_progress_block_addr; + unsigned long in_progress_block_mask;
struct mutex mutex; wait_queue_head_t wq; /* Wait on here when we're waiting for the chip
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit d7614cc16146e3f0b4c33e71875c19607602aed5 upstream.
It was possible for an xattr value to have a very large size, which would then pass validation on 32-bit architectures due to a pointer wraparound. Fix this by validating the size in a way which avoids pointer wraparound.
It was also possible that a value's size would fit in the available space but its padded size would not. This would cause an out-of-bounds memory write in ext4_xattr_set_entry when replacing the xattr value. For example, if an xattr value of unpadded size 253 bytes went until the very end of the inode or block, then using setxattr(2) to replace this xattr's value with 256 bytes would cause a write to the 3 bytes past the end of the inode or buffer, and the new xattr value would be incorrectly truncated. Fix this by requiring that the padded size fit in the available space rather than the unpadded size.
This patch shouldn't have any noticeable effect on non-corrupted/non-malicious filesystems.
Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: Theodore Ts'o tytso@mit.edu [bwh: Backported to 3.16: - s/EFSCORRUPTED/EIO/ - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/ext4/xattr.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-)
--- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -188,6 +188,7 @@ ext4_xattr_check_names(struct ext4_xattr { struct ext4_xattr_entry *e = entry;
+ /* Find the end of the names list */ while (!IS_LAST_ENTRY(e)) { struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(e); if ((void *)next >= end) @@ -195,13 +196,27 @@ ext4_xattr_check_names(struct ext4_xattr e = next; }
+ /* Check the values */ while (!IS_LAST_ENTRY(entry)) { - if (entry->e_value_size != 0 && - (value_start + le16_to_cpu(entry->e_value_offs) < - (void *)e + sizeof(__u32) || - value_start + le16_to_cpu(entry->e_value_offs) + - le32_to_cpu(entry->e_value_size) > end)) - return -EIO; + if (entry->e_value_size != 0) { + u16 offs = le16_to_cpu(entry->e_value_offs); + u32 size = le32_to_cpu(entry->e_value_size); + void *value; + + /* + * The value cannot overlap the names, and the value + * with padding cannot extend beyond 'end'. Check both + * the padded and unpadded sizes, since the size may + * overflow to 0 when adding padding. + */ + if (offs > end - value_start) + return -EIO; + value = value_start + offs; + if (value < (void *)e + sizeof(u32) || + size > end - value || + EXT4_XATTR_SIZE(size) > end - value) + return -EIO; + } entry = EXT4_XATTR_NEXT(entry); }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas bhelgaas@google.com
commit 5938628c51a711ae2169d68b2e3a4f7d93d4dbea upstream.
The PCI Power Management Spec, r1.2, sec 5.6.1, requires a 10 millisecond delay when powering on a device, i.e., transitioning from state D3hot to D0.
Apparently some devices require more time, and d1f9809ed131 ("drm/radeon: add quirk for d3 delay during switcheroo poweron for apple macbooks") added an additional delay for the Radeon device in a MacBook Pro. 4807c5a8a0c8 ("drm/radeon: add a PX quirk list") made the affected device more explicit.
Add a generic PCI quirk to increase the d3_delay. This means we will use the additional delay for *all* wakeups from D3, not just those initiated by radeon_switcheroo_set_state().
Signed-off-by: Bjorn Helgaas bhelgaas@google.com Reviewed-by: Andreas Boll andreas.boll.dev@gmail.com Acked-by: Alex Deucher alexander.deucher@amd.com CC: Maarten Lankhorst maarten.lankhorst@canonical.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/radeon/radeon_device.c | 11 ----------- drivers/pci/quirks.c | 13 +++++++++++++ 2 files changed, 13 insertions(+), 11 deletions(-)
--- a/drivers/gpu/drm/radeon/radeon_device.c +++ b/drivers/gpu/drm/radeon/radeon_device.c @@ -105,7 +105,6 @@ static const char radeon_family_name[][1 };
#define RADEON_PX_QUIRK_DISABLE_PX (1 << 0) -#define RADEON_PX_QUIRK_LONG_WAKEUP (1 << 1)
struct radeon_px_quirk { u32 chip_vendor; @@ -132,8 +131,6 @@ static struct radeon_px_quirk radeon_px_ * https://bugs.freedesktop.org/show_bug.cgi?id=101491 */ { PCI_VENDOR_ID_ATI, 0x6741, 0x1043, 0x2122, RADEON_PX_QUIRK_DISABLE_PX }, - /* macbook pro 8.2 */ - { PCI_VENDOR_ID_ATI, 0x6741, PCI_VENDOR_ID_APPLE, 0x00e2, RADEON_PX_QUIRK_LONG_WAKEUP }, { 0, 0, 0, 0, 0 }, };
@@ -1180,25 +1177,17 @@ static void radeon_check_arguments(struc static void radeon_switcheroo_set_state(struct pci_dev *pdev, enum vga_switcheroo_state state) { struct drm_device *dev = pci_get_drvdata(pdev); - struct radeon_device *rdev = dev->dev_private;
if (radeon_is_px(dev) && state == VGA_SWITCHEROO_OFF) return;
if (state == VGA_SWITCHEROO_ON) { - unsigned d3_delay = dev->pdev->d3_delay; - printk(KERN_INFO "radeon: switched on\n"); /* don't suspend or resume card normally */ dev->switch_power_state = DRM_SWITCH_POWER_CHANGING;
- if (d3_delay < 20 && (rdev->px_quirk_flags & RADEON_PX_QUIRK_LONG_WAKEUP)) - dev->pdev->d3_delay = 20; - radeon_resume_kms(dev, true, true);
- dev->pdev->d3_delay = d3_delay; - dev->switch_power_state = DRM_SWITCH_POWER_ON; drm_kms_helper_poll_enable(dev); } else { --- a/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c @@ -1648,6 +1648,19 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_IN DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x260a, quirk_intel_pcie_pm); DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x260b, quirk_intel_pcie_pm);
+static void quirk_radeon_pm(struct pci_dev *dev) +{ + if (dev->subsystem_vendor == PCI_VENDOR_ID_APPLE && + dev->subsystem_device == 0x00e2) { + if (dev->d3_delay < 20) { + dev->d3_delay = 20; + dev_info(&dev->dev, "extending delay after power-on from D3 to %d msec\n", + dev->d3_delay); + } + } +} +DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x6741, quirk_radeon_pm); + #ifdef CONFIG_X86_IO_APIC static int dmi_disable_ioapicreroute(const struct dmi_system_id *d) {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro viro@zeniv.linux.org.uk
commit 1e2e547a93a00ebc21582c06ca3c6cfea2a309ee upstream.
For anything NFS-exported we do _not_ want to unlock new inode before it has grown an alias; original set of fixes got the ordering right, but missed the nasty complication in case of lockdep being enabled - unlock_new_inode() does lockdep_annotate_inode_mutex_key(inode) which can only be done before anyone gets a chance to touch ->i_mutex. Unfortunately, flipping the order and doing unlock_new_inode() before d_instantiate() opens a window when mkdir can race with open-by-fhandle on a guessed fhandle, leading to multiple aliases for a directory inode and all the breakage that follows from that.
Correct solution: a new primitive (d_instantiate_new()) combining these two in the right order - lockdep annotate, then d_instantiate(), then the rest of unlock_new_inode(). All combinations of d_instantiate() with unlock_new_inode() should be converted to that.
Tested-by: Mike Marshall hubcap@omnibond.com Reviewed-by: Andreas Dilger adilger@dilger.ca Signed-off-by: Al Viro viro@zeniv.linux.org.uk [bwh: Backported to 3.16: - Drop changes in orangefs - Apply similar change to ext3 - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -6019,8 +6019,7 @@ static int btrfs_mknod(struct inode *dir goto out_unlock_inode; } else { btrfs_update_inode(trans, root, inode); - unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); }
out_unlock: @@ -6096,8 +6095,7 @@ static int btrfs_create(struct inode *di goto out_unlock_inode;
BTRFS_I(inode)->io_tree.ops = &btrfs_extent_io_ops; - unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode);
out_unlock: btrfs_end_transaction(trans, root); @@ -6238,12 +6236,7 @@ static int btrfs_mkdir(struct inode *dir if (err) goto out_fail_inode;
- d_instantiate(dentry, inode); - /* - * mkdir is special. We're unlocking after we call d_instantiate - * to avoid a race with nfsd calling d_instantiate. - */ - unlock_new_inode(inode); + d_instantiate_new(dentry, inode); drop_on_err = 0;
out_fail: @@ -8926,8 +8919,7 @@ static int btrfs_symlink(struct inode *d goto out_unlock_inode; }
- unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode);
out_unlock: btrfs_end_transaction(trans, root); --- a/fs/dcache.c +++ b/fs/dcache.c @@ -1680,6 +1680,28 @@ void d_instantiate(struct dentry *entry, } EXPORT_SYMBOL(d_instantiate);
+/* + * This should be equivalent to d_instantiate() + unlock_new_inode(), + * with lockdep-related part of unlock_new_inode() done before + * anything else. Use that instead of open-coding d_instantiate()/ + * unlock_new_inode() combinations. + */ +void d_instantiate_new(struct dentry *entry, struct inode *inode) +{ + BUG_ON(!hlist_unhashed(&entry->d_u.d_alias)); + BUG_ON(!inode); + lockdep_annotate_inode_mutex_key(inode); + security_d_instantiate(entry, inode); + spin_lock(&inode->i_lock); + __d_instantiate(entry, inode); + WARN_ON(!(inode->i_state & I_NEW)); + inode->i_state &= ~I_NEW; + smp_mb(); + wake_up_bit(&inode->i_state, __I_NEW); + spin_unlock(&inode->i_lock); +} +EXPORT_SYMBOL(d_instantiate_new); + /** * d_instantiate_unique - instantiate a non-aliased dentry * @entry: dentry to instantiate --- a/fs/ecryptfs/inode.c +++ b/fs/ecryptfs/inode.c @@ -298,8 +298,7 @@ ecryptfs_create(struct inode *directory_ iput(ecryptfs_inode); goto out; } - unlock_new_inode(ecryptfs_inode); - d_instantiate(ecryptfs_dentry, ecryptfs_inode); + d_instantiate_new(ecryptfs_dentry, ecryptfs_inode); out: return rc; } --- a/fs/ext2/namei.c +++ b/fs/ext2/namei.c @@ -41,8 +41,7 @@ static inline int ext2_add_nondir(struct { int err = ext2_add_link(dentry, inode); if (!err) { - unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); return 0; } inode_dec_link_count(inode); @@ -265,8 +264,7 @@ static int ext2_mkdir(struct inode * dir if (err) goto out_fail;
- unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); out: return err;
--- a/fs/ext3/namei.c +++ b/fs/ext3/namei.c @@ -1671,8 +1671,7 @@ static int ext3_add_nondir(handle_t *han int err = ext3_add_entry(handle, dentry, inode); if (!err) { ext3_mark_inode_dirty(handle, inode); - unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); return 0; } drop_nlink(inode); @@ -1873,8 +1872,7 @@ out_clear_inode: if (err) goto out_clear_inode;
- unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); out_stop: brelse(dir_block); ext3_journal_stop(handle); --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -2227,8 +2227,7 @@ static int ext4_add_nondir(handle_t *han int err = ext4_add_entry(handle, dentry, inode); if (!err) { ext4_mark_inode_dirty(handle, inode); - unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); return 0; } drop_nlink(inode); @@ -2466,8 +2465,7 @@ out_clear_inode: err = ext4_mark_inode_dirty(handle, dir); if (err) goto out_clear_inode; - unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); if (IS_DIRSYNC(dir)) ext4_handle_sync(handle);
--- a/fs/f2fs/namei.c +++ b/fs/f2fs/namei.c @@ -127,8 +127,7 @@ static int f2fs_create(struct inode *dir
alloc_nid_done(sbi, ino);
- d_instantiate(dentry, inode); - unlock_new_inode(inode); + d_instantiate_new(dentry, inode); return 0; out: handle_failed_inode(inode); @@ -260,8 +259,7 @@ static int f2fs_symlink(struct inode *di err = page_symlink(inode, symname, symlen); alloc_nid_done(sbi, inode->i_ino);
- d_instantiate(dentry, inode); - unlock_new_inode(inode); + d_instantiate_new(dentry, inode); return err; out: handle_failed_inode(inode); @@ -294,8 +292,7 @@ static int f2fs_mkdir(struct inode *dir,
alloc_nid_done(sbi, inode->i_ino);
- d_instantiate(dentry, inode); - unlock_new_inode(inode); + d_instantiate_new(dentry, inode);
return 0;
@@ -340,8 +337,7 @@ static int f2fs_mknod(struct inode *dir, f2fs_unlock_op(sbi);
alloc_nid_done(sbi, inode->i_ino); - d_instantiate(dentry, inode); - unlock_new_inode(inode); + d_instantiate_new(dentry, inode); return 0; out: handle_failed_inode(inode); --- a/fs/jffs2/dir.c +++ b/fs/jffs2/dir.c @@ -207,8 +207,7 @@ static int jffs2_create(struct inode *di __func__, inode->i_ino, inode->i_mode, inode->i_nlink, f->inocache->pino_nlink, inode->i_mapping->nrpages);
- unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); return 0;
fail: @@ -427,8 +426,7 @@ static int jffs2_symlink (struct inode * mutex_unlock(&dir_f->sem); jffs2_complete_reservation(c);
- unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); return 0;
fail: @@ -572,8 +570,7 @@ static int jffs2_mkdir (struct inode *di mutex_unlock(&dir_f->sem); jffs2_complete_reservation(c);
- unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); return 0;
fail: @@ -747,8 +744,7 @@ static int jffs2_mknod (struct inode *di mutex_unlock(&dir_f->sem); jffs2_complete_reservation(c);
- unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); return 0;
fail: --- a/fs/jfs/namei.c +++ b/fs/jfs/namei.c @@ -176,8 +176,7 @@ static int jfs_create(struct inode *dip, unlock_new_inode(ip); iput(ip); } else { - unlock_new_inode(ip); - d_instantiate(dentry, ip); + d_instantiate_new(dentry, ip); }
out2: @@ -309,8 +308,7 @@ static int jfs_mkdir(struct inode *dip, unlock_new_inode(ip); iput(ip); } else { - unlock_new_inode(ip); - d_instantiate(dentry, ip); + d_instantiate_new(dentry, ip); }
out2: @@ -1043,8 +1041,7 @@ static int jfs_symlink(struct inode *dip unlock_new_inode(ip); iput(ip); } else { - unlock_new_inode(ip); - d_instantiate(dentry, ip); + d_instantiate_new(dentry, ip); }
out2: @@ -1424,8 +1421,7 @@ static int jfs_mknod(struct inode *dir, unlock_new_inode(ip); iput(ip); } else { - unlock_new_inode(ip); - d_instantiate(dentry, ip); + d_instantiate_new(dentry, ip); }
out1: --- a/fs/nilfs2/namei.c +++ b/fs/nilfs2/namei.c @@ -50,8 +50,7 @@ static inline int nilfs_add_nondir(struc { int err = nilfs_add_link(dentry, inode); if (!err) { - d_instantiate(dentry, inode); - unlock_new_inode(inode); + d_instantiate_new(dentry, inode); return 0; } inode_dec_link_count(inode); @@ -249,8 +248,7 @@ static int nilfs_mkdir(struct inode *dir goto out_fail;
nilfs_mark_inode_dirty(inode); - d_instantiate(dentry, inode); - unlock_new_inode(inode); + d_instantiate_new(dentry, inode); out: if (!err) err = nilfs_transaction_commit(dir->i_sb); --- a/fs/reiserfs/namei.c +++ b/fs/reiserfs/namei.c @@ -682,8 +682,7 @@ static int reiserfs_create(struct inode reiserfs_update_inode_transaction(inode); reiserfs_update_inode_transaction(dir);
- unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); retval = journal_end(&th);
out_failed: @@ -763,8 +762,7 @@ static int reiserfs_mknod(struct inode * goto out_failed; }
- unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); retval = journal_end(&th);
out_failed: @@ -857,8 +855,7 @@ static int reiserfs_mkdir(struct inode * /* the above add_entry did not update dir's stat data */ reiserfs_update_sd(&th, dir);
- unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); retval = journal_end(&th); out_failed: reiserfs_write_unlock(dir->i_sb); @@ -1162,8 +1159,7 @@ static int reiserfs_symlink(struct inode goto out_failed; }
- unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); retval = journal_end(&th); out_failed: reiserfs_write_unlock(parent_dir->i_sb); --- a/fs/udf/namei.c +++ b/fs/udf/namei.c @@ -576,8 +576,7 @@ static int udf_add_nondir(struct dentry if (fibh.sbh != fibh.ebh) brelse(fibh.ebh); brelse(fibh.sbh); - unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode);
return 0; } @@ -697,8 +696,7 @@ static int udf_mkdir(struct inode *dir, udf_write_fi(dir, &cfi, fi, &fibh, NULL, NULL); inc_nlink(dir); mark_inode_dirty(dir); - unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); if (fibh.sbh != fibh.ebh) brelse(fibh.ebh); brelse(fibh.sbh); --- a/fs/ufs/namei.c +++ b/fs/ufs/namei.c @@ -38,8 +38,7 @@ static inline int ufs_add_nondir(struct { int err = ufs_add_link(dentry, inode); if (!err) { - unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); return 0; } inode_dec_link_count(inode); @@ -212,8 +211,7 @@ static int ufs_mkdir(struct inode * dir, goto out_fail; unlock_ufs(dir->i_sb);
- unlock_new_inode(inode); - d_instantiate(dentry, inode); + d_instantiate_new(dentry, inode); out: return err;
--- a/include/linux/dcache.h +++ b/include/linux/dcache.h @@ -234,6 +234,7 @@ static inline int dname_external(const s * These are the low-level FS interfaces to the dcache.. */ extern void d_instantiate(struct dentry *, struct inode *); +extern void d_instantiate_new(struct dentry *, struct inode *); extern struct dentry * d_instantiate_unique(struct dentry *, struct inode *); extern struct dentry * d_materialise_unique(struct dentry *, struct inode *); extern int d_instantiate_no_diralias(struct dentry *, struct inode *);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Robbie Ko robbieko@synology.com
commit 6f2f0b394b54e2b159ef969a0b5274e9bbf82ff2 upstream.
[BUG] btrfs incremental send BUG happens when creating a snapshot of snapshot that is being used by send.
[REASON] The problem can happen if while we are doing a send one of the snapshots used (parent or send) is snapshotted, because snapshoting implies COWing the root of the source subvolume/snapshot.
1. When doing an incremental send, the send process will get the commit roots from the parent and send snapshots, and add references to them through extent_buffer_get().
2. When a snapshot/subvolume is snapshotted, its root node is COWed (transaction.c:create_pending_snapshot()).
3. COWing releases the space used by the node immediately, through:
__btrfs_cow_block() --btrfs_free_tree_block() ----btrfs_add_free_space(bytenr of node)
4. Because send doesn't hold a transaction open, it's possible that the transaction used to create the snapshot commits, switches the commit root and the old space used by the previous root node gets assigned to some other node allocation. Allocation of a new node will use the existing extent buffer found in memory, which we previously got a reference through extent_buffer_get(), and allow the extent buffer's content (pages) to be modified:
btrfs_alloc_tree_block --btrfs_reserve_extent ----find_free_extent (get bytenr of old node) --btrfs_init_new_buffer (use bytenr of old node) ----btrfs_find_create_tree_block ------alloc_extent_buffer --------find_extent_buffer (get old node)
5. So send can access invalid memory content and have unpredictable behaviour.
[FIX] So we fix the problem by copying the commit roots of the send and parent snapshots and use those copies.
CallTrace looks like this: ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.c:1861! invalid opcode: 0000 [#1] SMP CPU: 6 PID: 24235 Comm: btrfs Tainted: P O 3.10.105 #23721 ffff88046652d680 ti: ffff88041b720000 task.ti: ffff88041b720000 RIP: 0010:[<ffffffffa08dd0e8>] read_node_slot+0x108/0x110 [btrfs] RSP: 0018:ffff88041b723b68 EFLAGS: 00010246 RAX: ffff88043ca6b000 RBX: ffff88041b723c50 RCX: ffff880000000000 RDX: 000000000000004c RSI: ffff880314b133f8 RDI: ffff880458b24000 RBP: 0000000000000000 R08: 0000000000000001 R09: ffff88041b723c66 R10: 0000000000000001 R11: 0000000000001000 R12: ffff8803f3e48890 R13: ffff8803f3e48880 R14: ffff880466351800 R15: 0000000000000001 FS: 00007f8c321dc8c0(0000) GS:ffff88047fcc0000(0000) CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 R2: 00007efd1006d000 CR3: 0000000213a24000 CR4: 00000000003407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff88041b723c50 ffff8803f3e48880 ffff8803f3e48890 ffff8803f3e48880 ffff880466351800 0000000000000001 ffffffffa08dd9d7 ffff88041b723c50 ffff8803f3e48880 ffff88041b723c66 ffffffffa08dde85 a9ff88042d2c4400 Call Trace: [<ffffffffa08dd9d7>] ? tree_move_down.isra.33+0x27/0x50 [btrfs] [<ffffffffa08dde85>] ? tree_advance+0xb5/0xc0 [btrfs] [<ffffffffa08e83d4>] ? btrfs_compare_trees+0x2d4/0x760 [btrfs] [<ffffffffa0982050>] ? finish_inode_if_needed+0x870/0x870 [btrfs] [<ffffffffa09841ea>] ? btrfs_ioctl_send+0xeda/0x1050 [btrfs] [<ffffffffa094bd3d>] ? btrfs_ioctl+0x1e3d/0x33f0 [btrfs] [<ffffffff81111133>] ? handle_pte_fault+0x373/0x990 [<ffffffff8153a096>] ? atomic_notifier_call_chain+0x16/0x20 [<ffffffff81063256>] ? set_task_cpu+0xb6/0x1d0 [<ffffffff811122c3>] ? handle_mm_fault+0x143/0x2a0 [<ffffffff81539cc0>] ? __do_page_fault+0x1d0/0x500 [<ffffffff81062f07>] ? check_preempt_curr+0x57/0x90 [<ffffffff8115075a>] ? do_vfs_ioctl+0x4aa/0x990 [<ffffffff81034f83>] ? do_fork+0x113/0x3b0 [<ffffffff812dd7d7>] ? trace_hardirqs_off_thunk+0x3a/0x6c [<ffffffff81150cc8>] ? SyS_ioctl+0x88/0xa0 [<ffffffff8153e422>] ? system_call_fastpath+0x16/0x1b ---[ end trace 29576629ee80b2e1 ]---
Fixes: 7069830a9e38 ("Btrfs: add btrfs_compare_trees function") Signed-off-by: Robbie Ko robbieko@synology.com Reviewed-by: Filipe Manana fdmanana@suse.com Signed-off-by: David Sterba dsterba@suse.com [bwh: Backported to 3.16: s/fs_info/left_root->fs_info/] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/btrfs/ctree.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-)
--- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -5406,12 +5406,24 @@ int btrfs_compare_trees(struct btrfs_roo down_read(&left_root->fs_info->commit_root_sem); left_level = btrfs_header_level(left_root->commit_root); left_root_level = left_level; - left_path->nodes[left_level] = left_root->commit_root; + left_path->nodes[left_level] = + btrfs_clone_extent_buffer(left_root->commit_root); + if (!left_path->nodes[left_level]) { + up_read(&left_root->fs_info->commit_root_sem); + ret = -ENOMEM; + goto out; + } extent_buffer_get(left_path->nodes[left_level]);
right_level = btrfs_header_level(right_root->commit_root); right_root_level = right_level; - right_path->nodes[right_level] = right_root->commit_root; + right_path->nodes[right_level] = + btrfs_clone_extent_buffer(right_root->commit_root); + if (!right_path->nodes[right_level]) { + up_read(&left_root->fs_info->commit_root_sem); + ret = -ENOMEM; + goto out; + } extent_buffer_get(right_path->nodes[right_level]); up_read(&left_root->fs_info->commit_root_sem);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni pabeni@redhat.com
commit 4fb0534fb7bbc2346ba7d3a072b538007f4135a5 upstream.
When parsing the options provided by the user space, team_nl_cmd_options_set() insert them in a temporary list to send multiple events with a single message. While each option's attribute is correctly validated, the code does not check for duplicate entries before inserting into the event list.
Exploiting the above, the syzbot was able to trigger the following splat:
kernel BUG at lib/list_debug.c:31! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 4466 Comm: syzkaller556835 Not tainted 4.16.0+ #17 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__list_add_valid+0xaa/0xb0 lib/list_debug.c:29 RSP: 0018:ffff8801b04bf248 EFLAGS: 00010286 RAX: 0000000000000058 RBX: ffff8801c8fc7a90 RCX: 0000000000000000 RDX: 0000000000000058 RSI: ffffffff815fbf41 RDI: ffffed0036097e3f RBP: ffff8801b04bf260 R08: ffff8801b0b2a700 R09: ffffed003b604f90 R10: ffffed003b604f90 R11: ffff8801db027c87 R12: ffff8801c8fc7a90 R13: ffff8801c8fc7a90 R14: dffffc0000000000 R15: 0000000000000000 FS: 0000000000b98880(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000043fc30 CR3: 00000001afe8e000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_add include/linux/list.h:60 [inline] list_add include/linux/list.h:79 [inline] team_nl_cmd_options_set+0x9ff/0x12b0 drivers/net/team/team.c:2571 genl_family_rcv_msg+0x889/0x1120 net/netlink/genetlink.c:599 genl_rcv_msg+0xc6/0x170 net/netlink/genetlink.c:624 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448 genl_rcv+0x28/0x40 net/netlink/genetlink.c:635 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 ___sys_sendmsg+0x805/0x940 net/socket.c:2117 __sys_sendmsg+0x115/0x270 net/socket.c:2155 SYSC_sendmsg net/socket.c:2164 [inline] SyS_sendmsg+0x29/0x30 net/socket.c:2162 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x4458b9 RSP: 002b:00007ffd1d4a7278 EFLAGS: 00000213 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00000000004458b9 RDX: 0000000000000010 RSI: 0000000020000d00 RDI: 0000000000000004 RBP: 00000000004a74ed R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000213 R12: 00007ffd1d4a7348 R13: 0000000000402a60 R14: 0000000000000000 R15: 0000000000000000 Code: 75 e8 eb a9 48 89 f7 48 89 75 e8 e8 d1 85 7b fe 48 8b 75 e8 eb bb 48 89 f2 48 89 d9 4c 89 e6 48 c7 c7 a0 84 d8 87 e8 ea 67 28 fe <0f> 0b 0f 1f 40 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41 RIP: __list_add_valid+0xaa/0xb0 lib/list_debug.c:29 RSP: ffff8801b04bf248
This changeset addresses the avoiding list_add() if the current option is already present in the event list.
Reported-and-tested-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com Signed-off-by: Paolo Abeni pabeni@redhat.com Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message") Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/team/team.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+)
--- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c @@ -253,6 +253,17 @@ static void __team_option_inst_mark_remo } }
+static bool __team_option_inst_tmp_find(const struct list_head *opts, + const struct team_option_inst *needle) +{ + struct team_option_inst *opt_inst; + + list_for_each_entry(opt_inst, opts, tmp_list) + if (opt_inst == needle) + return true; + return false; +} + static int __team_options_register(struct team *team, const struct team_option *option, size_t option_count) @@ -2520,6 +2531,14 @@ static int team_nl_cmd_options_set(struc if (err) goto team_put; opt_inst->changed = true; + + /* dumb/evil user-space can send us duplicate opt, + * keep only the last one + */ + if (__team_option_inst_tmp_find(&opt_inst_list, + opt_inst)) + continue; + list_add(&opt_inst->tmp_list, &opt_inst_list); } if (!opt_found) {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Anastasov ja@ssi.bg
commit 94720e3aee6884d8c8beb678001629da60ec6366 upstream.
Allow some non-cached routes to use non-expired fnhe:
1. ip_del_fnhe: moved above and now called by find_exception. The 4.5+ commit deed49df7390 expires fnhe only when caching routes. Change that to:
1.1. use fnhe for non-cached local output routes, with the help from (2)
1.2. allow __mkroute_input to detect expired fnhe (outdated fnhe_gw, for example) when do_cache is false, eg. when itag!=0 for unicast destinations.
2. __mkroute_output: keep fi to allow local routes with orig_oif != 0 to use fnhe info even when the new route will not be cached into fnhe. After commit 839da4d98960 ("net: ipv4: set orig_oif based on fib result for local traffic") it means all local routes will be affected because they are not cached. This change is used to solve a PMTU problem with IPVS (and probably Netfilter DNAT) setups that redirect local clients from target local IP (local route to Virtual IP) to new remote IP target, eg. IPVS TUN real server. Loopback has 64K MTU and we need to create fnhe on the local route that will keep the reduced PMTU for the Virtual IP. Without this change fnhe_pmtu is updated from ICMP but never exposed to non-cached local routes. This includes routes with flowi4_oif!=0 for 4.6+ and with flowi4_oif=any for 4.14+).
3. update_or_create_fnhe: make sure fnhe_expires is not 0 for new entries
Fixes: 839da4d98960 ("net: ipv4: set orig_oif based on fib result for local traffic") Fixes: d6d5e999e5df ("route: do not cache fib route info on local routes with oif") Fixes: deed49df7390 ("route: check and remove route cache when we get route") Cc: David Ahern dsahern@gmail.com Cc: Xin Long lucien.xin@gmail.com Signed-off-by: Julian Anastasov ja@ssi.bg Acked-by: David Ahern dsahern@gmail.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/ipv4/route.c | 118 +++++++++++++++++++++-------------------------- 1 file changed, 53 insertions(+), 65 deletions(-)
--- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -684,7 +684,7 @@ static void update_or_create_fnhe(struct fnhe->fnhe_gw = gw; fnhe->fnhe_pmtu = pmtu; fnhe->fnhe_mtu_locked = lock; - fnhe->fnhe_expires = expires; + fnhe->fnhe_expires = max(1UL, expires);
/* Exception created; mark the cached routes for the nexthop * stale, so anyone caching it rechecks if this exception @@ -1259,6 +1259,36 @@ static unsigned int ipv4_mtu(const struc return min_t(unsigned int, mtu, IP_MAX_MTU); }
+static void ip_del_fnhe(struct fib_nh *nh, __be32 daddr) +{ + struct fnhe_hash_bucket *hash; + struct fib_nh_exception *fnhe, __rcu **fnhe_p; + u32 hval = fnhe_hashfun(daddr); + + spin_lock_bh(&fnhe_lock); + + hash = rcu_dereference_protected(nh->nh_exceptions, + lockdep_is_held(&fnhe_lock)); + hash += hval; + + fnhe_p = &hash->chain; + fnhe = rcu_dereference_protected(*fnhe_p, lockdep_is_held(&fnhe_lock)); + while (fnhe) { + if (fnhe->fnhe_daddr == daddr) { + rcu_assign_pointer(*fnhe_p, rcu_dereference_protected( + fnhe->fnhe_next, lockdep_is_held(&fnhe_lock))); + fnhe_flush_routes(fnhe); + kfree_rcu(fnhe, rcu); + break; + } + fnhe_p = &fnhe->fnhe_next; + fnhe = rcu_dereference_protected(fnhe->fnhe_next, + lockdep_is_held(&fnhe_lock)); + } + + spin_unlock_bh(&fnhe_lock); +} + static struct fib_nh_exception *find_exception(struct fib_nh *nh, __be32 daddr) { struct fnhe_hash_bucket *hash = nh->nh_exceptions; @@ -1272,8 +1302,14 @@ static struct fib_nh_exception *find_exc
for (fnhe = rcu_dereference(hash[hval].chain); fnhe; fnhe = rcu_dereference(fnhe->fnhe_next)) { - if (fnhe->fnhe_daddr == daddr) + if (fnhe->fnhe_daddr == daddr) { + if (fnhe->fnhe_expires && + time_after(jiffies, fnhe->fnhe_expires)) { + ip_del_fnhe(nh, daddr); + break; + } return fnhe; + } } return NULL; } @@ -1568,36 +1604,6 @@ static void ip_handle_martian_source(str #endif }
-static void ip_del_fnhe(struct fib_nh *nh, __be32 daddr) -{ - struct fnhe_hash_bucket *hash; - struct fib_nh_exception *fnhe, __rcu **fnhe_p; - u32 hval = fnhe_hashfun(daddr); - - spin_lock_bh(&fnhe_lock); - - hash = rcu_dereference_protected(nh->nh_exceptions, - lockdep_is_held(&fnhe_lock)); - hash += hval; - - fnhe_p = &hash->chain; - fnhe = rcu_dereference_protected(*fnhe_p, lockdep_is_held(&fnhe_lock)); - while (fnhe) { - if (fnhe->fnhe_daddr == daddr) { - rcu_assign_pointer(*fnhe_p, rcu_dereference_protected( - fnhe->fnhe_next, lockdep_is_held(&fnhe_lock))); - fnhe_flush_routes(fnhe); - kfree_rcu(fnhe, rcu); - break; - } - fnhe_p = &fnhe->fnhe_next; - fnhe = rcu_dereference_protected(fnhe->fnhe_next, - lockdep_is_held(&fnhe_lock)); - } - - spin_unlock_bh(&fnhe_lock); -} - /* called in rcu_read_lock() section */ static int __mkroute_input(struct sk_buff *skb, const struct fib_result *res, @@ -1651,20 +1657,10 @@ static int __mkroute_input(struct sk_buf
fnhe = find_exception(&FIB_RES_NH(*res), daddr); if (do_cache) { - if (fnhe) { + if (fnhe) rth = rcu_dereference(fnhe->fnhe_rth_input); - if (rth && rth->dst.expires && - time_after(jiffies, rth->dst.expires)) { - ip_del_fnhe(&FIB_RES_NH(*res), daddr); - fnhe = NULL; - } else { - goto rt_cache; - } - } - - rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input); - -rt_cache: + else + rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input); if (rt_cache_valid(rth)) { skb_dst_set_noref(skb, &rth->dst); goto out; @@ -2000,39 +1996,31 @@ static struct rtable *__mkroute_output(c * the loopback interface and the IP_PKTINFO ipi_ifindex will * be set to the loopback interface as well. */ - fi = NULL; + do_cache = false; }
fnhe = NULL; do_cache &= fi != NULL; - if (do_cache) { + if (fi) { struct rtable __rcu **prth; struct fib_nh *nh = &FIB_RES_NH(*res);
fnhe = find_exception(nh, fl4->daddr); + if (!do_cache) + goto add; if (fnhe) { prth = &fnhe->fnhe_rth_output; - rth = rcu_dereference(*prth); - if (rth && rth->dst.expires && - time_after(jiffies, rth->dst.expires)) { - ip_del_fnhe(nh, fl4->daddr); - fnhe = NULL; - } else { - goto rt_cache; + } else { + if (unlikely(fl4->flowi4_flags & + FLOWI_FLAG_KNOWN_NH && + !(nh->nh_gw && + nh->nh_scope == RT_SCOPE_LINK))) { + do_cache = false; + goto add; } + prth = raw_cpu_ptr(nh->nh_pcpu_rth_output); } - - if (unlikely(fl4->flowi4_flags & - FLOWI_FLAG_KNOWN_NH && - !(nh->nh_gw && - nh->nh_scope == RT_SCOPE_LINK))) { - do_cache = false; - goto add; - } - prth = raw_cpu_ptr(nh->nh_pcpu_rth_output); rth = rcu_dereference(*prth); - -rt_cache: if (rt_cache_valid(rth)) { dst_hold(&rth->dst); return rth;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" ebiederm@xmission.com
commit 03f1fc09180b345582889a344b012d069b3a6dbe upstream.
Capture the pid namespace when /proc/sysvipc/msg /proc/sysvipc/shm and /proc/sysvipc/sem are opened, and make it available through the new helper ipc_seq_pid_ns.
This makes it possible to report the pids in these files in the pid namespace of the opener of the files.
Implement ipc_update_pid. A simple impline helper that will only update a struct pid pointer if the new value does not equal the old value. This removes the need for wordy code sequences like:
old = object->pid; object->pid = new; put_pid(old);
and
old = object->pid; if (old != new) { object->pid = new; put_pid(old); }
Allowing the following to be written instead:
ipc_update_pid(&object->pid, new);
Which is easier to read and ensures that the pid reference count is not touched the old and the new values are the same. Not touching the reference count in this case is important to help avoid issues like af_unix experienced, where multiple threads of the same process managed to bounce the struct pid between cpu cache lines, but updating the pids reference count.
Signed-off-by: "Eric W. Biederman" ebiederm@xmission.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- ipc/util.c | 9 +++++++++ ipc/util.h | 11 +++++++++++ 2 files changed, 20 insertions(+)
--- a/ipc/util.c +++ b/ipc/util.c @@ -777,9 +777,16 @@ int ipc_parse_version(int *cmd) #ifdef CONFIG_PROC_FS struct ipc_proc_iter { struct ipc_namespace *ns; + struct pid_namespace *pid_ns; struct ipc_proc_iface *iface; };
+struct pid_namespace *ipc_seq_pid_ns(struct seq_file *s) +{ + struct ipc_proc_iter *iter = s->private; + return iter->pid_ns; +} + /* * This routine locks the ipc structure found at least at position pos. */ @@ -914,6 +921,7 @@ static int sysvipc_proc_open(struct inod
iter->iface = PDE_DATA(inode); iter->ns = get_ipc_ns(current->nsproxy->ipc_ns); + iter->pid_ns = get_pid_ns(task_active_pid_ns(current)); out: return ret; } @@ -923,6 +931,7 @@ static int sysvipc_proc_release(struct i struct seq_file *seq = file->private_data; struct ipc_proc_iter *iter = seq->private; put_ipc_ns(iter->ns); + put_pid_ns(iter->pid_ns); return seq_release_private(inode, file); }
--- a/ipc/util.h +++ b/ipc/util.h @@ -20,6 +20,7 @@ void msg_init(void); void shm_init(void);
struct ipc_namespace; +struct pid_namespace;
#ifdef CONFIG_POSIX_MQUEUE extern void mq_clear_sbinfo(struct ipc_namespace *ns); @@ -90,6 +91,7 @@ void ipc_init_ids(struct ipc_ids *); #ifdef CONFIG_PROC_FS void __init ipc_init_proc_interface(const char *path, const char *header, int ids, int (*show)(struct seq_file *, void *)); +struct pid_namespace *ipc_seq_pid_ns(struct seq_file *); #else #define ipc_init_proc_interface(path, header, ids, show) do {} while (0) #endif @@ -141,6 +143,15 @@ struct kern_ipc_perm *ipcctl_pre_down_no struct ipc_ids *ids, int id, int cmd, struct ipc64_perm *perm, int extra_perm);
+static inline void ipc_update_pid(struct pid **pos, struct pid *pid) +{ + struct pid *old = *pos; + if (old != pid) { + *pos = get_pid(pid); + put_pid(old); + } +} + #ifndef CONFIG_ARCH_WANT_IPC_PARSE_VERSION /* On IA-64, we always use the "64-bit version" of the IPC structures. */ # define ipc_parse_version(cmd) IPC_64
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rasmus Villemoes linux@rasmusvillemoes.dk
commit 2c964a2f4191f2229566895f1a0e85f8339f5dd1 upstream.
The two functions alloc_tty_struct and initialize_tty_struct are always called together. Merge them into alloc_tty_struct, updating its prototype and the only two callers of these functions.
Signed-off-by: Rasmus Villemoes linux@rasmusvillemoes.dk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/pty.c | 19 +++++++++---------- drivers/tty/tty_io.c | 37 +++++++++++++------------------------ include/linux/tty.h | 4 +--- 3 files changed, 23 insertions(+), 37 deletions(-)
--- a/drivers/tty/pty.c +++ b/drivers/tty/pty.c @@ -319,7 +319,7 @@ done: * pty_common_install - set up the pty pair * @driver: the pty driver * @tty: the tty being instantiated - * @bool: legacy, true if this is BSD style + * @legacy: true if this is BSD style * * Perform the initial set up for the tty/pty pair. Called from the * tty layer when the port is first opened. @@ -334,18 +334,17 @@ static int pty_common_install(struct tty int idx = tty->index; int retval = -ENOMEM;
- o_tty = alloc_tty_struct(); - if (!o_tty) - goto err; ports[0] = kmalloc(sizeof **ports, GFP_KERNEL); ports[1] = kmalloc(sizeof **ports, GFP_KERNEL); if (!ports[0] || !ports[1]) - goto err_free_tty; + goto err; if (!try_module_get(driver->other->owner)) { /* This cannot in fact currently happen */ - goto err_free_tty; + goto err; } - initialize_tty_struct(o_tty, driver->other, idx); + o_tty = alloc_tty_struct(driver->other, idx); + if (!o_tty) + goto err_put_module;
if (legacy) { /* We always use new tty termios data so we can do this @@ -390,12 +389,12 @@ err_free_termios: tty_free_termios(tty); err_deinit_tty: deinitialize_tty_struct(o_tty); + free_tty_struct(o_tty); +err_put_module: module_put(o_tty->driver->owner); -err_free_tty: +err: kfree(ports[0]); kfree(ports[1]); - free_tty_struct(o_tty); -err: return retval; }
--- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -157,20 +157,6 @@ static void __proc_set_tty(struct task_s static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
/** - * alloc_tty_struct - allocate a tty object - * - * Return a new empty tty structure. The data fields have not - * been initialized in any way but has been zeroed - * - * Locking: none - */ - -struct tty_struct *alloc_tty_struct(void) -{ - return kzalloc(sizeof(struct tty_struct), GFP_KERNEL); -} - -/** * free_tty_struct - free a disused tty * @tty: tty struct to free * @@ -1455,12 +1441,11 @@ struct tty_struct *tty_init_dev(struct t if (!try_module_get(driver->owner)) return ERR_PTR(-ENODEV);
- tty = alloc_tty_struct(); + tty = alloc_tty_struct(driver, idx); if (!tty) { retval = -ENOMEM; goto err_module_put; } - initialize_tty_struct(tty, driver, idx);
tty_lock(tty); retval = tty_driver_install_tty(driver, tty); @@ -3034,19 +3019,21 @@ static struct device *tty_get_device(str
/** - * initialize_tty_struct - * @tty: tty to initialize + * alloc_tty_struct * - * This subroutine initializes a tty structure that has been newly - * allocated. + * This subroutine allocates and initializes a tty structure. * - * Locking: none - tty in question must not be exposed at this point + * Locking: none - tty in question is not exposed at this point */
-void initialize_tty_struct(struct tty_struct *tty, - struct tty_driver *driver, int idx) +struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) { - memset(tty, 0, sizeof(struct tty_struct)); + struct tty_struct *tty; + + tty = kzalloc(sizeof(*tty), GFP_KERNEL); + if (!tty) + return NULL; + kref_init(&tty->kref); tty->magic = TTY_MAGIC; tty_ldisc_init(tty); @@ -3070,6 +3057,8 @@ void initialize_tty_struct(struct tty_st tty->index = idx; tty_line_name(driver, idx, tty->name); tty->dev = tty_get_device(tty); + + return tty; }
/** --- a/include/linux/tty.h +++ b/include/linux/tty.h @@ -477,13 +477,11 @@ extern int tty_mode_ioctl(struct tty_str unsigned int cmd, unsigned long arg); extern int tty_perform_flush(struct tty_struct *tty, unsigned long arg); extern void tty_default_fops(struct file_operations *fops); -extern struct tty_struct *alloc_tty_struct(void); +extern struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx); extern int tty_alloc_file(struct file *file); extern void tty_add_file(struct tty_struct *tty, struct file *file); extern void tty_free_file(struct file *file); extern void free_tty_struct(struct tty_struct *tty); -extern void initialize_tty_struct(struct tty_struct *tty, - struct tty_driver *driver, int idx); extern void deinitialize_tty_struct(struct tty_struct *tty); extern struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx); extern int tty_release(struct inode *inode, struct file *filp);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steve French smfrench@gmail.com
commit 1d0cffa674cfa7d185a302c8c6850fc50b893bed upstream.
RHBZ: 1453123
Since at least the 3.10 kernel and likely a lot earlier we have not been able to create unix domain sockets in a cifs share when mounted using the SFU mount option (except when mounted with the cifs unix extensions to Samba e.g.) Trying to create a socket, for example using the af_unix command from xfstests will cause : BUG: unable to handle kernel NULL pointer dereference at 00000000 00000040
Since no one uses or depends on being able to create unix domains sockets on a cifs share the easiest fix to stop this vulnerability is to simply not allow creation of any other special files than char or block devices when sfu is used.
Added update to Ronnie's patch to handle a tcon link leak, and to address a buf leak noticed by Gustavo and Colin.
Acked-by: Gustavo A. R. Silva gustavo@embeddedor.com CC: Colin Ian King colin.king@canonical.com Reviewed-by: Pavel Shilovsky pshilov@microsoft.com Reported-by: Eryu Guan eguan@redhat.com Signed-off-by: Ronnie Sahlberg lsahlber@redhat.com Signed-off-by: Steve French smfrench@gmail.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/cifs/dir.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)
--- a/fs/cifs/dir.c +++ b/fs/cifs/dir.c @@ -665,6 +665,9 @@ int cifs_mknod(struct inode *inode, stru goto mknod_out; }
+ if (!S_ISCHR(mode) && !S_ISBLK(mode)) + goto mknod_out; + if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL)) goto mknod_out;
@@ -673,10 +676,8 @@ int cifs_mknod(struct inode *inode, stru
buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL); if (buf == NULL) { - kfree(full_path); rc = -ENOMEM; - free_xid(xid); - return rc; + goto mknod_out; }
if (backup_cred(cifs_sb)) @@ -718,7 +719,7 @@ int cifs_mknod(struct inode *inode, stru pdev->minor = cpu_to_le64(MINOR(device_number)); rc = CIFSSMBWrite(xid, &io_parms, &bytes_written, (char *)pdev, NULL, 0); - } /* else if (S_ISFIFO) */ + } CIFSSMBClose(xid, tcon, fid.netfid); d_drop(direntry);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "himanshu.madhani@cavium.com" himanshu.madhani@cavium.com
commit 1514839b366417934e2f1328edb50ed1e8a719f5 upstream.
This patch fixes NULL pointer crash due to active timer running for abort IOCB.
=46romcrash dump analysis it was discoverd that get_next_timer_interrupt() encountered a corrupted entry on the timer list.
#9 [ffff95e1f6f0fd40] page_fault at ffffffff914fe8f8 [exception RIP: get_next_timer_interrupt+440] RIP: ffffffff90ea3088 RSP: ffff95e1f6f0fdf0 RFLAGS: 00010013 RAX: ffff95e1f6451028 RBX: 000218e2389e5f40 RCX: 00000001232ad600 RDX: 0000000000000001 RSI: ffff95e1f6f0fdf0 RDI: 0000000001232ad6 RBP: ffff95e1f6f0fe40 R8: ffff95e1f6451188 R9: 0000000000000001 R10: 0000000000000016 R11: 0000000000000016 R12: 00000001232ad5f6 R13: ffff95e1f6450000 R14: ffff95e1f6f0fdf8 R15: ffff95e1f6f0fe10 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
Looking at the assembly of get_next_timer_interrupt(), address came from %r8 (ffff95e1f6451188) which is pointing to list_head with single entry at ffff95e5ff621178.
0xffffffff90ea307a <get_next_timer_interrupt+426>: mov (%r8),%rdx 0xffffffff90ea307d <get_next_timer_interrupt+429>: cmp %r8,%rdx 0xffffffff90ea3080 <get_next_timer_interrupt+432>: je 0xffffffff90ea30a7 <get_next_timer_interrupt+471> 0xffffffff90ea3082 <get_next_timer_interrupt+434>: nopw 0x0(%rax,%rax,1) 0xffffffff90ea3088 <get_next_timer_interrupt+440>: testb $0x1,0x18(%rdx)
crash> rd ffff95e1f6451188 10 ffff95e1f6451188: ffff95e5ff621178 ffff95e5ff621178 x.b.....x.b..... ffff95e1f6451198: ffff95e1f6451198 ffff95e1f6451198 ..E.......E..... ffff95e1f64511a8: ffff95e1f64511a8 ffff95e1f64511a8 ..E.......E..... ffff95e1f64511b8: ffff95e77cf509a0 ffff95e77cf509a0 ...|.......|.... ffff95e1f64511c8: ffff95e1f64511c8 ffff95e1f64511c8 ..E.......E.....
crash> rd ffff95e5ff621178 10 ffff95e5ff621178: 0000000000000001 ffff95e15936aa00 ..........6Y.... ffff95e5ff621188: 0000000000000000 00000000ffffffff ................ ffff95e5ff621198: 00000000000000a0 0000000000000010 ................ ffff95e5ff6211a8: ffff95e5ff621198 000000000000000c ..b............. ffff95e5ff6211b8: 00000f5800000000 ffff95e751f8d720 ....X... ..Q....
ffff95e5ff621178 belongs to freed mempool object at ffff95e5ff621080.
CACHE NAME OBJSIZE ALLOCATED TOTAL SLABS SSIZE ffff95dc7fd74d00 mnt_cache 384 19785 24948 594 16k SLAB MEMORY NODE TOTAL ALLOCATED FREE ffffdc5dabfd8800 ffff95e5ff620000 1 42 29 13 FREE / [ALLOCATED] ffff95e5ff621080 (cpu 6 cache)
Examining the contents of that memory reveals a pointer to a constant string in the driver, "abort\0", which is set by qla24xx_async_abort_cmd().
crash> rd ffffffffc059277c 20 ffffffffc059277c: 6e490074726f6261 0074707572726574 abort.Interrupt. ffffffffc059278c: 00676e696c6c6f50 6920726576697244 Polling.Driver i ffffffffc059279c: 646f6d207325206e 6974736554000a65 n %s mode..Testi ffffffffc05927ac: 636976656420676e 786c252074612065 ng device at %lx ffffffffc05927bc: 6b63656843000a2e 646f727020676e69 ...Checking prod ffffffffc05927cc: 6f20444920746375 0a2e706968632066 uct ID of chip.. ffffffffc05927dc: 5120646e756f4600 204130303232414c .Found QLA2200A ffffffffc05927ec: 43000a2e70696843 20676e696b636568 Chip...Checking ffffffffc05927fc: 65786f626c69616d 6c636e69000a2e73 mailboxes...incl ffffffffc059280c: 756e696c2f656475 616d2d616d642f78 ude/linux/dma-ma
crash> struct -ox srb_iocb struct srb_iocb { union { struct {...} logio; struct {...} els_logo; struct {...} tmf; struct {...} fxiocb; struct {...} abt; struct ct_arg ctarg; struct {...} mbx; struct {...} nack; [0x0 ] } u; [0xb8] struct timer_list timer; [0x108] void (*timeout)(void *); } SIZE: 0x110
crash> ! bc ibase=16 obase=10 B8+40 F8
The object is a srb_t, and at offset 0xf8 within that structure (i.e. ffff95e5ff621080 + f8 -> ffff95e5ff621178) is a struct timer_list.
Fixes: 4440e46d5db7 ("[SCSI] qla2xxx: Add IOCB Abort command asynchronous handling.") Signed-off-by: Himanshu Madhani himanshu.madhani@cavium.com Reviewed-by: Johannes Thumshirn jthumshirn@suse.de Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/scsi/qla2xxx/qla_init.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/scsi/qla2xxx/qla_init.c +++ b/drivers/scsi/qla2xxx/qla_init.c @@ -363,6 +363,7 @@ qla24xx_abort_sp_done(void *data, void * srb_t *sp = (srb_t *)ptr; struct srb_iocb *abt = &sp->u.iocb_cmd;
+ del_timer(&sp->u.iocb_cmd.timer); complete(&abt->u.abt.comp); }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Davidlohr Bueso dave@stgolabs.net
commit d0edd8528362c07216498340e928159510595e7b upstream.
Considering Linus' past rants about the (ab)use of BUG in the kernel, I took a look at how we deal with such calls in ipc. Given that any errors or corruption in ipc code are most likely contained within the set of processes participating in the broken mechanisms, there aren't really many strong fatal system failure scenarios that would require a BUG call. Also, if something is seriously wrong, ipc might not be the place for such a BUG either.
1. For example, recently, a customer hit one of these BUG_ONs in shm after failing shm_lock(). A busted ID imho does not merit a BUG_ON, and WARN would have been better.
2. MSG_COPY functionality of posix msgrcv(2) for checkpoint/restore. I don't see how we can hit this anyway -- at least it should be IS_ERR. The 'copy' arg from do_msgrcv is always set by calling prepare_copy() first and foremost. We could also probably drop this check altogether. Either way, it does not merit a BUG_ON.
3. No ->fault() callback for the fs getting the corresponding page -- seems selfish to make the system unusable.